Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How to pick the right company for penetration testing?
From: "Nexus" <nexus () patrol i-way co uk>
Date: Mon, 26 Jan 2004 23:25:47 -0000

----- Original Message -----
From: "Pete Herzog" <pete () isecom org>
To: "Nexus" <nexus () patrol i-way co uk>; "Andy Paton" <aoyt78 () dsl pipex com>;
<pen-test () securityfocus com>
Sent: Monday, January 26, 2004 10:07 AM
Subject: RE: How to pick the right company for penetration testing?


Although CHECK is part of the UK governmental endorsement, I have not
seen it outside the UK.  That said, if the UK is just a starting point for
European partner, CHECK does not have much authority.

Indeed - as you said, not seen outside of the UK...
Horribly bad form to quote oneself I know, but from Andy's initial email:

(I will only pick a UK company)

Hence the very specific reply from myself:

In that case, one option would be to pick a CHECK company from

Specific criteria normally require explicit answers, irrespective of
esoteric verbosity no ?
(Sorry for the Geerism, old habits ;-)
And yes, there are US based companies with green light, ho hum.

Another problem is that CHECK is pay-to-play (5000 Bp).  I know many
excellent UK companies with good work ethic, smart security skills, and a
positive cashflow from good sales and service who don't see the value in
paying someone for a high-level methodology and course.

As I said (with added emphasis):

**one** option would be

Also agreed that it's still less than the (maximum AFAIK) 295 USD required
for Gold Team subsciption to your own organisation.
It's currently 6.7K UKP for company, 1.5K UKP for the assualt course btw (c.
Jan 2004).

The larger and more governmentally influenced customers in the UK may
require CHECK in England and in that case, the door is shut to them if
can't convince otherwise.

Not true, from first hand experience.

offices are looking for OSSTMM certified people to work and in Scotland, a
few of the the largest banks and organizations only buy OSSTMM certified

Not an issue - the difference being I am not with CESG and hence am offering
what I consider to be independant criteria.
Hence no tout or mention of any fee accepting organisation that I represent.

If you want to pick a partner, try buying something from them anonymously
first.  Go through the procedure of being a tough customer.  Judge them on
their ethics, sales ability, and service skills.  Then when you narrow it
down to a few companies, look into sustainability, cash flow, reputation,
and other partners.


CHECK has its place but I think it's a mistake to judge ability on that.
the otherside, it won't stop us from adding the CHECK methodology to the
OSSTMM like we do other high level methodologies.

Or Vikkie Versie perhaps ?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]