Re: Penetration Testing - Human Factor

StyleWar wrote:
> lol
>
> With respect, I think that's a greater commentary on your contracting
> methods than it is on what's available. The Pen-Tests I have run include

Yeah, well, I work for a fortune 50 company, and it's just come to my
attention that my boss doesn't give a crap about whether our pen-testers
"get in".  He just doesn't want any work to do (read: audit items).  He
said, and I quote, "Your standards are too high, and you probably wouldn't
be happy with any pen-tester we brought in."

And yeah, I'm thinking what you're thinking..my CV is getting updated now.

> everything from physical, to logical, to social/administrative.  The
> customer has had to opt out on specific methods and attack trees as part of
> the preengagement process.
>
> -
>
> StyleWar

Sounds great..exactly what we go through.  Also sounds like you're not the
cookie-cutter (Qualys/Nessus, Nikto, NMAP anyone) type contractor that
Fortune 50 customers get stuck with.

That said, we *did* have one good pen-test.  ~2 years ago we paid ISS 40K;
they had a trophy from an obscure, forgotten webapp within two days.  I've
also gotten a shitty pen-test from ISS, so YMMV.

-jp


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------