Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Evaluating Auditors Abilities
From: Max Vision <vision () WHITEHATS COM>
Date: Thu, 7 Sep 2000 16:22:38 -0700

At 12:46 AM 9/7/00 -0400, Derrick wrote:
Dear Pen-Testers,
        Recently I underwent something that had me thinking about
Security Auditing companies and others (Big accounting firms that
offer a side service of auditing). Management decided that we needed
to be audited by an outside firm, which I am in full favor of. The
problem came about in what an un-named auditor did.


It sounds like your company hired a less-than-capable auditing group that
is still in the learning process. Since I have been doing professional
penetration testing for several years, I have addressed this touchy issue
in three main ways.

First, the majority of my new clients are referrals from satisfied
customers.  Since I am an engineer and not a salesperson, this ends up
working out very well for myself and my clients.  You should ask around
and find out who your peers hire and why they are chosen.

Second, I provide a free "Visibility Analysis" of the potential client
network. This includes significant detail about both the client network
and the penetration testing procedure.  You should find out if the
auditing company charges an arbitrary fee or if they understand your
particular network.

Third, I maintain a 100% penetration rate.  I guarantee that I will be
able to penetrate a client's network.  Since I have years of experience
and current research skills, I am confident that I will be able to
maintain this guarantee.  After all, a penetration testing expert should
be able to prove their skill in gaining compromise if they are to be
trusted to simulate real-world techniques.  Ask to find out if your
security company makes any similar guarantees.

Finally, numerous false positives are sloppy and inexusable - a
clear sign that the auditors ran automated tools without checking the
results.  In many cases the auditors fail to properly configure the
scanning tools, or have not authored the security tests
themselves.  Be sure to ask the right questions before you choose a
security company.  If you don't get the answers you're looking for, keep


Max Vision Network Security        <vision () whitehats com>
Network Security Assessment         http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]