Penetration Testing: Re: How to go about looking for a pen-tester

[hellNbak <hellnbak () nmrc org>]

> I have been reading with interest this list for a few weeks. Is there
> anything special that a customer should look for when choosing a pen tester?
> e.g., are there any certifications, associations, government agency that
> guarantee the pen-tester won't use the information learned to harm the
> network? Should the customer specify what is allowed and what is not
> allowed, or give the pen-tester a free hand to do his work? how about
> international agreements? Are there any websites recommending and rating
> pen-testers? Basically, what should a client do protect himself when asking
> a pen-tester to break in to his network.
First - all certifications mean is that someone read a book and managed to
memorize enough of it to pass a test.  Do not base your selection of
Pen-Testers on only certifications.

As far as agreements go, you would be wise to carefully read over any
terms and conditions supplied by the company doing the tests.  If there is
anything in there you do not like or want added, speak up before you sign
off on the proposal.  If there isn't a terms and conditions - run like
hell.

The way I would choose a pen-testing or security consulting company would
be by looking at their years in business, their experience, and their
refferences.  In my opinion - you are better off with an established,
known company that can provide you with some good refferences.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend - I offend with my intent"

hellNbak () nmrc org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-