> I have been reading with interest this list for a few weeks. Is there > anything special that a customer should look for when choosing a pen tester? > e.g., are there any certifications, associations, government agency that > guarantee the pen-tester won't use the information learned to harm the > network? Should the customer specify what is allowed and what is not > allowed, or give the pen-tester a free hand to do his work? how about > international agreements? Are there any websites recommending and rating > pen-testers? Basically, what should a client do protect himself when asking > a pen-tester to break in to his network. First - all certifications mean is that someone read a book and managed to memorize enough of it to pass a test. Do not base your selection of Pen-Testers on only certifications. As far as agreements go, you would be wise to carefully read over any terms and conditions supplied by the company doing the tests. If there is anything in there you do not like or want added, speak up before you sign off on the proposal. If there isn't a terms and conditions - run like hell. The way I would choose a pen-testing or security consulting company would be by looking at their years in business, their experience, and their refferences. In my opinion - you are better off with an established, known company that can provide you with some good refferences. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend - I offend with my intent" hellNbakat_private -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 17:41:00 PDT