On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.
There are definitely a number of incredible pen-testers out there. But I agree with Peter… If you end up with a "report" that's nothing more than an executive statement pasted at the top of a Nessus report, then you've wasted your money. To be honest, I'd recommend getting a sample report from the company and quiz them on it before committing to a contract with them. --------------------------- Jason 'XenoPhage' Frisvold xenophage@godshell.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law