Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Recommendations for web app test?

from [subscriber] Network Security [Permanent Link]
Subject: Re: Recommendations for web app test?
Date: Sat, 23 Oct 2004 06:07:49 +0100 (BST) 
<snip excellent advice from Dan>

I just thought I'd chuck my 0.02p-orth...

You also need to be aware of the differences between network and
application testing. Too often people go ahead with a testing supplier
believing that they'll be secure and it turns out to be a can of worms.
There are always political issues with this and the approach you take can
determine whether or not jobs end up on the line. A good security partner
(a term that sends a chill down my spine but is quite accurate here) will
be able to relate the technical issues down to root causes *without*
saying 'your developers suck'. I'd also ask for a sample report first. If
they list a million instances of a type of vulnerability, I'd avoid them
like the plague.

Ask yourself what you want from security testing. If you want assurance
that best practices have been followed in the implementation of an
application then go ahead and test. If you're not sure that best practices
have been followed, or even what they are then you might want to consider
something more in-depth that includes a review of your development
methodology (if you have one), the business processes surrounding an
application and other security controls and regulations that may be
relevant.

Daniel is definately right about companies jumping on the band wagon. Even
CESG's CHECK scheme in the UK means nothing when you're looking at
applications. However, if they have team leaders (note the pluralisation),
ISO accredited documentation systems and CLAS consultants on the team you
can be fairly certain that they're not fly-by-night cowboys.


what is a good price range?
I can only speak for UK prices, but around the 1000 to 1500UKP range
per day is common.


Again, it depends on what you want. Companies are known to go for
ridiculously low rates when it comes to governments or long-term
relationships. But be aware that cost should not be the ultimate factor in
this case. The better ones are usually more expensive.

<snip recommendations>

I'd also throw in the big 4 if you want to pay more but are more
interested in finding the root business causes or looking at regulatory
compliance. I'd also add Portcullis and Diagonal Security to the list as
far as the UK goes, although I'll own up now to former association with
the latter to save embarrassment later on.

Steve
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Likelihood of brute force attacks against web apps, Glyn Geoghegan
Next by Date:  RE: Hacking/security in main-stream media, Arun Vishwanathan
Previous by Thread:  Re: Recommendations for web app test?, Cesar
Next by Thread:  Re: Recommendations for web app test?, Stephen de Vries
Indexes:  [Date] [Thread] [Top] [All Lists]