PaulDotCom mailing list archives
Network and Web App Pen Test Providers
From: herrasher at gmail.com (Kennith Asher)
Date: Thu, 6 Aug 2009 09:34:13 -0700
First let me say that I totally agree, especially in the case of pen tests, that you get what you pay for. (Assuming you know how to evaluate what you're buying.) Script kiddies and those who simply pass along an unsubstantiated, unverified Qualys report (for instance) don't provide much value regardless of cost. I am not actually convinced that rotating pen test firms really does much to improve the likelihood of discovering vulnerabilities. I do, however, have a business need to use different vendors. Some of our enterprise customers and prospects require this and audit us against their requirement. I have to balance getting a high quality result with the need to be able to tell auditors that we are meeting their requirements. I may be able to justify spending our pen test dollars on the same firm provided that I have shown due diligence by evaluating a small handful of alternatives and demonstrating that the choice was made in appreciation of the intent of this requirement. I'm looking for high quality first, low price second. One other noteworthy item for you to ponder is that current customers perform pen tests of their own on roughly a quarterly basis and we do have internal quarterly scans as well so we already have a reasonable level of confidence as to where our vulnerabilities lie. Thanks for your comment, Ken On Aug 6, 2009 7:26 AM, "Paul Asadoorian" <paul at pauldotcom.com> wrote: While I am biased (yes we do pen tests and web app assessments), but I don't see the benefit of using different vendors every year. I believe its better to build a relationship with a reputable company that does a good job. If they do a good job, stick with them, as they understand your business and now have an established relationship. Think of the time spent from the customers end having to explain your environment, challenges, policies, business model, to a new firm every year. You can also get a fresh perspective from the same company because they may have added new employees (A good question to ask). Also, using the same firm allows you to build on past tests. Any one company can only get so far in one week, but using the same company for your testing allows them to pick up where they left off. Using a different company, they are going to start fresh, probably finding much of the same problems as the previous company (unless the company totally sucks, which is a different conversation). My recommendation is to apply a similar level of scrutiny to your pen test company as you do for potential employees. Don't be afraid to ask hard questions, samples of work, references, and even through a test or challenge at them. This will help you weed out "the suck" :) Cheers, Paul Raffi Jamgotchian wrote: > We would do something similar in the early days, but we would rotate >... -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.c... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090806/189093c9/attachment.htm
Current thread:
- Network and Web App Pen Test Providers Kennith Asher (Aug 05)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Mike Patterson (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Jim Halfpenny (Aug 06)
- Network and Web App Pen Test Providers Chris Clymer (Aug 06)
- Network and Web App Pen Test Providers Raffi Jamgotchian (Aug 06)
- Network and Web App Pen Test Providers strandjs at gmail.com (Aug 06)
- Network and Web App Pen Test Providers Tim Krabec (Aug 06)
- Network and Web App Pen Test Providers Kennith Asher (Aug 06)
- Network and Web App Pen Test Providers Paul Asadoorian (Aug 06)
- Network and Web App Pen Test Providers Vincent Lape (Aug 05)
- Network and Web App Pen Test Providers Michael Douglas (Aug 06)