Penetration Testing mailing list archives
RE: How to pick the right company for penetration testing?
From: "Pete Herzog" <pete () isecom org>
Date: Mon, 26 Jan 2004 11:07:28 +0100
Hi, Although CHECK is part of the UK governmental endorsement, I have not really seen it outside the UK. That said, if the UK is just a starting point for a European partner, CHECK does not have much authority. Another problem is that CHECK is pay-to-play (5000 Bp). I know many excellent UK companies with good work ethic, smart security skills, and a positive cashflow from good sales and service who don't see the value in paying someone for a high-level methodology and course. The larger and more governmentally influenced customers in the UK may require CHECK in England and in that case, the door is shut to them if they can't convince otherwise. However, just to the north, in Wales, government offices are looking for OSSTMM certified people to work and in Scotland, a few of the the largest banks and organizations only buy OSSTMM certified tests. If you want to pick a partner, try buying something from them anonymously first. Go through the procedure of being a tough customer. Judge them on their ethics, sales ability, and service skills. Then when you narrow it down to a few companies, look into sustainability, cash flow, reputation, and other partners. CHECK has its place but I think it's a mistake to judge ability on that. On the otherside, it won't stop us from adding the CHECK methodology to the OSSTMM like we do other high level methodologies. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-----Original Message----- From: Nexus [mailto:nexus () patrol i-way co uk] Sent: Monday, January 26, 2004 01:42 AM To: Andy Paton; pen-test () securityfocus com Subject: Re: How to pick the right company for penetration testing? ----- Original Message ----- From: "Andy Paton" <aoyt78 () dsl pipex com> To: <pen-test () securityfocus com> Sent: Sunday, January 25, 2004 9:53 PM Subject: How to pick the right company for penetration testing? [snip]P.S. I don't mind obvious touting for business (I will only pick a UKcompany) In that case, one option would be to pick a CHECK company from http://www.cesg.gov.uk/site/check/index.cfm as the assault course will certainly be an indication of a certain level of technical competence. Obviously you can infer a couple of things from that, but I won't tout on a technical list ;-) The fun (personal) answer would be to kick out some ITT's and have a shoot-off against a test box to get an idea of what you will be getting. Cheers. ------------------------------------------------------------------ --------- ------------------------------------------------------------------ ----------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How to pick the right company for penetration testing? Andy Paton (Jan 25)
- Re: How to pick the right company for penetration testing? Nexus (Jan 25)
- RE: How to pick the right company for penetration testing? Pete Herzog (Jan 26)
- Re: How to pick the right company for penetration testing? Nexus (Jan 26)
- RE: How to pick the right company for penetration testing? Pete Herzog (Jan 26)
- <Possible follow-ups>
- RE: How to pick the right company for penetration testing? Carrick, Brian A (Jan 26)
- How to pick the right company for penetration testing? Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA (Jan 27)
- RE: How to pick the right company for penetration testing? Eric Greenberg (Jan 27)
- RE: How to pick the right company for penetration testing? Robert E. Lee (Jan 27)
- RE: How to pick the right company for penetration testing? wjnorth (Jan 29)
- Message not available
- Re: How to pick the right company for penetration testing? wjnorth (Jan 30)
- RE: How to pick the right company for penetration testing? Eric Greenberg (Jan 27)
- Re: How to pick the right company for penetration testing? Nexus (Jan 25)
- RE: How to pick the right company for penetration testing? Cure, Samuel J (Jan 27)
- Re: How to pick the right company for penetration testing? Travis Schack (Jan 28)
- RE: How to pick the right company for penetration testing? Tinus Janse van Rensburg (Jan 28)