Another important thing from the penetration tester's viewpoint is to be
precise and an dimpose self-discipline with he engagement's schedule. A
common problem is that the start of the engagement gets delayed or that
the timeframe for the pentest gets reduced or otherwise modified. That
will have an impact on the quality of the results. Also, when a few
schedules are moved around it becomes a nightmare for the pentest
provider to properly allocate and manage its resources across several
jobs at different stages.
I would summarize (from a provider's perspective) the msot important
things as follows:
- A well-defined defined scope
- A well-prepared action plan including all the relevant points of
contact with the customer and an agreed-upon way to communicate with
them. They should be aware that the assessment will take place during
weeks X-Y and they'll need to get involved.
- A precise timeframe and work schedule.
- A follow-up plan to act on the results.
-ivan
Erin Carroll wrote:
On 23 Dec 2005 rklemaster@hotmail.com wrote:
I'm looking for a firm to conduct annual 3rd party vulnerability assesments
for a nationwide carrier ISP. If anyone has any references or stories to
share, I'd like to hear about them.
thanks!
I'll let others speak to what firms or referrals etc. but wanted to inject
some thoughts on what it's like on the other side of the fence which may
be of use when you are making your choice.
By far the most irritating and common issue that crops up as a pen-tester
when doing 3rd party internal/external pen-test and VA's is the lack of a
clearly defined scope from the client. In some cases 60%+ of my billable
time boils down to trying to figure out just what the client wants tested,
what the priorities are, which systems I have to be delicate around (some
tools can cause outages/DoS etc), how many systems, who are the technical
contacts within the client company if questions or issues arise, and who
is the "suit" running the project who can assist with overcoming
roadblocks on the management end of things. Don't get me wrong, the extra
hours billed are nice for my wallet but as the client you are burning a
lot of cash for no reason.
Having all those details nailed down *in advance* goes a long way to
saving you headaches and cash. Additionally, get your legal dept to draft
up an agreement outlining the scope. This is to protect both you and the
VA firm.
Another thing to consider when shopping around on this is to figure out
*in advance* what information you want at the end of the annual
engagement. A management summary of the low hanging fruit? A technical
analysis to take to your engineers? A doc to cover you in regards to
regulatory requirements? If you need the information in a
particular format be sure to communicate that.
The last thing I'll throw in here is to have some sort of action plan to
address the issues that are found. Many times I've come back to reassess a
client's infrastructure only to find the same holes/issues in place with
little or no change. You are hiring me for my expertise. Use it. Oh, I'll
happily cash the check again but most security geeks I know like to see
their imparted knowledge and findings put to use.
-Erin Carroll
Moderator
SecurityFocus pen-test mailing list
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
--
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
