RE: How to pick the right company for penetration testing?

From: Cure, Samuel J (scure_at_kpmg.com)
Date: 01/27/04

  • Next message: Herbold, John W.: "RE: Hacking USB Thumbdrives, Thumprint authentication" 
    To: "'Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA'" <gideon@infostruct.net>, pen-test@securityfocus.com
Date: Tue, 27 Jan 2004 14:07:05 -0500

    Andy,
    I would first make sure that the company is looking for an actual
    penetration test rather than a scan. The term penetration test tends to get
    misused as most clients actually want a scan. As far as scanning tools, each
    has unique properties and not all tools cover the same security concerns. As
    long as the tools that are used are CVE compliant, there is a better chance
    of covering critical vulnerabilities that are agreed upon within the
    security community. If you need further help with qualifying security
    services, contact me and I will be glad to help.

    Thanks.

    Samuel J. Cure
    KPMG LLP, Risk and Advisory Services

    -----Original Message-----
    From: Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA
    [mailto:gideon@infostruct.net]
    Sent: Monday, January 26, 2004 9:03 PM
    To: pen-test@securityfocus.com
    Cc: aoyt78@dsl.pipex.com
    Subject: How to pick the right company for penetration testing?

    Andy,

    You should investigate vulnerability scanning services. The leader in the
    space is Qualys (http://www.qualys.com). In general scanning services offer
    the following... You configure the service, it scans the IP addresses you
    assign and you download reports over https. The reports have an executive
    overview, specific details of each vulnerability, links to advisories and
    patches. The scans can be scheduled for time, date and/or interval (i.e.
    weekly, monthly, etc.). Quite good really.

    I recommend that you sign up for a sample scan. You have nothing to loose.

    Kind regards,

    Gideon

    Gideon T. Rasmussen
    CISSP, CFSO, CFSA, SCSA
    Boca Raton, FL
    gideon@infostruct.net

    -----Original Message-----
    From: Andy Paton [mailto:aoyt78@dsl.pipex.com]
    Sent: 25 January 2004 21:54
    To: pen-test@securityfocus.com
    Subject: How to pick the right company for penetration testing?

    Hi Guys & Girls

    I have a customer who would like to engage with a security partner for
    penetration testing service in the UK.

    I'm in a position to recommend a company and would like to know, what
    credentials/information/references should I ask for from a company who
    offers such services.

    Regards

    AP

    P.S. I don't mind obvious touting for business (I will only pick a UK
    company)

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    *****************************************************************************
    The information in this email is confidential and may be legally privileged.
    It is intended solely for the addressee. Access to this email by anyone else
    is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution
    or any action taken or omitted to be taken in reliance on it, is prohibited
    and may be unlawful. When addressed to our clients any opinions or advice
    contained in this email are subject to the terms and conditions expressed in
    the governing KPMG client engagement letter.
    *****************************************************************************

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Herbold, John W.: "RE: Hacking USB Thumbdrives, Thumprint authentication"

    Relevant Pages

    • Re: A new Start
      ... But to perform a penetration test for the web application you must follow a different approach, such as source code auditing, file injection, sql injection etc.. ... Information Security Analyst ...
      (Pen-Test)
    • State of Penetration Testing Research (Input requested)
      ... State of Penetration Testing Survey ... based apps like 3rd party DNS Servers, Web Servers, FTP Servers, TFTP ... How has the emphasis on Web Application Security over the last few ... hiring pentesters that you experience the most? ...
      (Pen-Test)
    • RE: Pen testing and empyment
      ... Penetration testing and system testing are different but there is some ... System testers who perform security ... A penetration test is security specific and does not focus on any one ... Download FREE whitepaper on how a managed service can help you: ...
      (Pen-Test)
    • Re: Licensed Penetration Tester LPT
      ... Subject: Licensed Penetration Tester LPT ... Expert in Security Policy Assessments ... applications continue to rise, ... how a managed service can ...
      (Pen-Test)
    • Re: Licensed Penetration Tester LPT
      ... "Are you an unlicensed penetration tester?" ... Subject: Licensed Penetration Tester LPT ... Concerned about Web Application Security? ... a managed service can ...
      (Pen-Test)