Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Penetration Testing - Human Factor
From: Joey Peloquin <joeyp () cotse net>
Date: Tue, 29 Aug 2006 15:11:55 -0500

StyleWar wrote:

With respect, I think that's a greater commentary on your contracting
methods than it is on what's available. The Pen-Tests I have run include

Yeah, well, I work for a fortune 50 company, and it's just come to my
attention that my boss doesn't give a crap about whether our pen-testers
"get in".  He just doesn't want any work to do (read: audit items).  He
said, and I quote, "Your standards are too high, and you probably wouldn't
be happy with any pen-tester we brought in."

And yeah, I'm thinking what you're thinking..my CV is getting updated now.

everything from physical, to logical, to social/administrative.  The
customer has had to opt out on specific methods and attack trees as part of
the preengagement process.



Sounds great..exactly what we go through.  Also sounds like you're not the
cookie-cutter (Qualys/Nessus, Nikto, NMAP anyone) type contractor that
Fortune 50 customers get stuck with.

That said, we *did* have one good pen-test.  ~2 years ago we paid ISS 40K;
they had a trophy from an obscure, forgotten webapp within two days.  I've
also gotten a shitty pen-test from ISS, so YMMV.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]