Comments on: Better Criteria for Selecting Pen Test Consultants http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: sandrar http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/comment-page-1/#comment-3070 sandrar Thu, 10 Sep 2009 13:23:06 +0000 http://www.veracode.com/blog/?p=28#comment-3070 Hi! I was surfing and found your blog post... nice! I love your blog. :) Cheers! Sandra. R. Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

]]> By: Zero in a bit » Art vs. Science http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/comment-page-1/#comment-1066 Zero in a bit » Art vs. Science Fri, 20 Jun 2008 20:56:44 +0000 http://www.veracode.com/blog/?p=28#comment-1066 [...] comment I once made about security educators/trainers is relevant here. Whatever questions end up on the OPCP test, [...] [...] comment I once made about security educators/trainers is relevant here. Whatever questions end up on the OPCP test, [...]

]]> By: Top 10 Tips For Hiring Web Application Pen Testers « Mark Curphey - SecurityBuddha.com http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/comment-page-1/#comment-139 Top 10 Tips For Hiring Web Application Pen Testers « Mark Curphey - SecurityBuddha.com Thu, 08 Mar 2007 07:51:44 +0000 http://www.veracode.com/blog/?p=28#comment-139 [...] ‘Web Pesting”. He makes some excellent points. Chris Eng originally posted an equally excellent blog. Having ran a sizeable team doing this work at Foundstone I thought I would chip in with my 2 [...] [...] ‘Web Pesting”. He makes some excellent points. Chris Eng originally posted an equally excellent blog. Having ran a sizeable team doing this work at Foundstone I thought I would chip in with my 2 [...]

]]> By: Chris Eng http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/comment-page-1/#comment-101 Chris Eng Fri, 02 Mar 2007 16:03:23 +0000 http://www.veracode.com/blog/?p=28#comment-101 This is true. Add this to my list: "Make sure your definition of a penetration test is consistent with the vendor's definition." Too many consulting companies these days try to pass off a few automated scans (and weeding out of the false positives) as a penetration test. Sorry guys, but that's a vulnerability scan and nothing more. The last thing you want to do is sign on the dotted line without being aligned on expectations. Don't get me wrong, automation has its place. Say you're responsible for the security of 500 web applications and you want to scan them on a rotating basis to find all the low-hanging fruit. You'll undoubtedly find some explotiable vulnerabilities that need fixing. Just don't get a false sense of security, because all the automated scanners do is fling junk at every parameter of every page and use heuristics to gauge the response. They find a lot of problems, but they won't even touch higher-level logic issues, authorization bypass, etc. It's not a pen test, it's a scan. The network side is different. Metaploit, CANVAS, Core Impact, etc. give you the tools you need to gain and extend access. Nessus, Retina, etc. are just scanners. This is true. Add this to my list: “Make sure your definition of a penetration test is consistent with the vendor’s definition.” Too many consulting companies these days try to pass off a few automated scans (and weeding out of the false positives) as a penetration test. Sorry guys, but that’s a vulnerability scan and nothing more. The last thing you want to do is sign on the dotted line without being aligned on expectations.

Don’t get me wrong, automation has its place. Say you’re responsible for the security of 500 web applications and you want to scan them on a rotating basis to find all the low-hanging fruit. You’ll undoubtedly find some explotiable vulnerabilities that need fixing. Just don’t get a false sense of security, because all the automated scanners do is fling junk at every parameter of every page and use heuristics to gauge the response. They find a lot of problems, but they won’t even touch higher-level logic issues, authorization bypass, etc. It’s not a pen test, it’s a scan.

The network side is different. Metaploit, CANVAS, Core Impact, etc. give you the tools you need to gain and extend access. Nessus, Retina, etc. are just scanners.

]]> By: Chris http://www.veracode.com/blog/2007/02/better-criteria-for-selecting-pen-test-consultants/comment-page-1/#comment-100 Chris Fri, 02 Mar 2007 13:32:58 +0000 http://www.veracode.com/blog/?p=28#comment-100 Good post. Unfortunately the market is saturated with certifications and many 'penetration testers' that arent qualified. The more automated our toolsets become you will find less knowledgeable penetration testers. This is sort of evident when you look back at the explosion of quality low cost scanners (Nessus, Retina etc...) that took off 5 or 6 years ago. Metasploit is great, but a majority of the penetration testers out there don't understand it. Its easier to plug an IP into Nessus and hit 'Start Scan'. Good post. Unfortunately the market is saturated with certifications and many ‘penetration testers’ that arent qualified. The more automated our toolsets become you will find less knowledgeable penetration testers. This is sort of evident when you look back at the explosion of quality low cost scanners (Nessus, Retina etc…) that took off 5 or 6 years ago. Metasploit is great, but a majority of the penetration testers out there don’t understand it. Its easier to plug an IP into Nessus and hit ‘Start Scan’.

]]>