From: Erin Carroll (amoeba@amoebazone.com)
Date: Fri Dec 23 2005 - 14:19:35 EST
On 23 Dec 2005 rklemaster@hotmail.com wrote:
> I'm looking for a firm to conduct annual 3rd party vulnerability assesments for a nationwide carrier ISP. If anyone has any references or stories to share, I'd like to hear about them.
> thanks!
I'll let others speak to what firms or referrals etc. but wanted to inject
some thoughts on what it's like on the other side of the fence which may
be of use when you are making your choice.
By far the most irritating and common issue that crops up as a pen-tester
when doing 3rd party internal/external pen-test and VA's is the lack of a
clearly defined scope from the client. In some cases 60%+ of my billable
time boils down to trying to figure out just what the client wants tested,
what the priorities are, which systems I have to be delicate around (some
tools can cause outages/DoS etc), how many systems, who are the technical
contacts within the client company if questions or issues arise, and who
is the "suit" running the project who can assist with overcoming
roadblocks on the management end of things. Don't get me wrong, the extra
hours billed are nice for my wallet but as the client you are burning a
lot of cash for no reason.
Having all those details nailed down *in advance* goes a long way to
saving you headaches and cash. Additionally, get your legal dept to draft
up an agreement outlining the scope. This is to protect both you and the
VA firm.
Another thing to consider when shopping around on this is to figure out
*in advance* what information you want at the end of the annual
engagement. A management summary of the low hanging fruit? A technical
analysis to take to your engineers? A doc to cover you in regards to
regulatory requirements? If you need the information in a
particular format be sure to communicate that.
The last thing I'll throw in here is to have some sort of action plan to
address the issues that are found. Many times I've come back to reassess a
client's infrastructure only to find the same holes/issues in place with
little or no change. You are hiring me for my expertise. Use it. Oh, I'll
happily cash the check again but most security geeks I know like to see
their imparted knowledge and findings put to use.
-Erin Carroll
Moderator
SecurityFocus pen-test mailing list
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:17 EDT