Re: Evaluating pentesters



There is a lot of Pen test firms - but my advise is to check with your
QSA if they are offering such service - the goal is to reduce the
number of firms who knows your infrastructure and your network diagram
- and as the QSA already involved in this knowledge, so it will be
better if you let them penetrate your system their selves..

On 3/6/10, Tony Turner <tony_l_turner@xxxxxxxxx> wrote:
Is there some kind of "Who's Who" of penetration testing firms? Right
now my primary methods for evaluating potential firms for pentest
engagements are requesting sanitized reports from past tests and asking
questions about their methodology. Is there some resource online I might
be able to use to locate quality testers? I've been burned in the past
with some real bad ones.. I'm looking for
network/systems/application/web/wireless from a PCI focused firm. Not so
much interested in physical security and social engineering tests at
this time but these services may be useful for future engagements. Also
not interested in paying good money for someone else to just do a
Kismet/Gpsmap or Nessus scan for me and hand me the scan data. Useful
tools of course, but I've met a few idiots who thought that was what
penetration testing was. I am in the SE United States.

--

Tony L Turner
CISSP, CISA, GPEN, GCIA, GSEC, VCP, ITIL-F

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



--
Sent from my mobile device

Sent from my Personal GMail Account,,,
Mohamed Farid ,,
m.farid.shawara@xxxxxxxxx

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------