Summary: How to go about looking for a pen-tester

From: Ershad Shafi Chowdhury (iru@bol-online.com)
Date: Sun Jun 03 2001 - 22:10:53 PDT

Next message: Alfred Huger: "Re: How do I find a great pen-tester"

Previous message: R. DuFresne: "Re: How to go about looking for a pen-tester"
In reply to: Etaoin Shrdlu: "Re: How to go about looking for a pen-tester"
Next in thread: BrainSCAN: "Re: Summary: How to go about looking for a pen-tester"
Reply: BrainSCAN: "Re: Summary: How to go about looking for a pen-tester"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings! Many thanks to those that responded. As it is traditional and
polite, I am writing a summary of the replies.

HOW TO GO ABOUT FINDING A SUITABLE PEN-TESTER:

1. Get references from your friends in the same industry. This will help
short-list the companies you can trust. If you still aren't certain just go
with a big well known firm.
2. Hire a consultant if necessary and define the scope of work to the
Pen-testers. I'd say both an internal and external audit should be done. You
should ask the pen-testers for suggestions.
3. Go over their terms and conditions carefully. As with any TOS, have your
lawyer review it, and discuss anything you don't like with the Pen-testing
company. Good thing to have is a second audit after recommended changes are
made.
4. Ask the company for details on the consultants who will be carrying out
the work. Although it does not prove anything, a Certified Information
Systems Security Professional (CISSP) would probably be a good idea.
5. Ask the company about bonding and Insurance. If they don't have a clue,
dump 'em.
6. It is blatantly obvious to us that a pen-test covers the system only at
the time of testing. Any pen tester that says otherwise is out of his mind.
But, the customer may think, kewl, had only one hole, its fixed, and I am
secure. If the pen-tester assures you that there are no worries once the
test is complete, thinking you are not smart enough, then run. In fact, if
the pen-tester suggests anything ridiculous or questionable, back off. You
may be wrong, but don't risk trusting your companies secrets to anyone if
they try to scare you in to hiring them, or if they make unrealistic claims.
7. Implement the changes as suggested by the pen-testing report. Audit your
network again by the same pen-tester, if everything goes well, there won't
be any major issues. If there are issues, keep on fixing the holes and
repeat the audit, until there are no issues.
8. If you are paranoid, now go  and find a second pen-tester and have
another audit done. This will give you a useful second opinion.


That's all for now, many thanks to kevin,steve,modify,hellnback,etaoin and
others.

Next message: Alfred Huger: "Re: How do I find a great pen-tester"
Previous message: R. DuFresne: "Re: How to go about looking for a pen-tester"
In reply to: Etaoin Shrdlu: "Re: How to go about looking for a pen-tester"
Next in thread: BrainSCAN: "Re: Summary: How to go about looking for a pen-tester"
Reply: BrainSCAN: "Re: Summary: How to go about looking for a pen-tester"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 23:22:39 PDT