cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2012
Newcomer II

Reputed Pen Testing Companies to use

Hello,

 

Sorry if this post does not fit the content here. I would appreciate if esteemed members could suggest reputed names for engaging them for pen testing of SaaS-based service with desktop/mobile and browser clients.

 

Thanks in advance.

9 Replies
CISOScott
Community Champion

I have heard good things about Black Hills Information Security in the pentesting arena:

Here is their website:

https://www.blackhillsinfosec.com/


 


 

2012
Newcomer II

Thank you CISO Scott.

Caute_cautim
Community Champion

If you want a regular subscription based service, with immediate real time results, rather than having to wait for Statement of Work overheads - then you may find this useful:

 

https://www.ibm.com/security/services/penetration-testing

 

Regards

 

Caute_cautim

2012
Newcomer II

Thank you.

viethanguyen
Viewer

Hi,

 

In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂

Caute_cautim
Community Champion

From experience, it does not matter who it is - ensure they are carefully supervised.  Had a situation on a private cloud, where by the Big 4 pen tester, was given access to an internal 10 Gbit switch port, and decided to unleash the throttle without first checking with the client and associated team first.  The resultant chaos, certainly had the Incident Response going for a little while.   It does not matter, who they are, ensure they are supervised and monitored carefully.  

 

Regards

 

Caute_cautim

CISOScott
Community Champion


@viethanguyen wrote:

Hi,

 

In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂


In my personal opinion going with a big 4 or even another pen testing company you need to be careful. I have found that pen testers who are reputable AND good will not do a pen test for you for more than 2 years in a row. Sometimes the big 4 or others who do not specialize in pen testing are just in it for the money. I have seen one company come in for 6 years straight and they were just tool monkeys. They ran Nessus, spit out the results and told the OIG how bad the company's IT staff was. They provided no analysis, no solutions, just you need to patch and you are so bad because you have 13,000 vulnerabilities across your 3 networks.

I was brought in as a new ISSO, I had to bite my tongue in the out brief meeting because I was new and still under probation but I wanted to stand up and say this:

 

"You guys are nothing but tool-monkeys, which means we could have brought in monkeys and had them run the tool and got the same results. Your analysis is flawed because you incorrectly stated we have 13,000 vulnerabilities. We have 3 identical networks, dev, test, and prod. So really we have the same 4,333 vulnerabilities 3 times. Secondly, you offer no solutions about the core problem. You know nothing of how our company works, despite having been running the SAME pentest for 6 years. The problem is not the number of vulnerabilities, the problems are various and not even being dealt with because you just keep pointing out the big number. Problem #1 is that we have a bad IT setup. The government staff are all managers who manage IT contractors to do the work. We have no federal IT staff that are actually able to do the patch management. #2 is the fact we have written bad IT contracts and security and IT are not brought into the contract writing portion of the contracts. Our current contract says the IT contractors will patch Windows, Oracle, and RedHat. It does nothing to address 3rd party patching or other security solutions for which a patch is not available, but manual solutions exist. Even though the contractor is technically able to remediate it, if they were to screw something up, because it is not written in their contract, they could be thrown off of the contract. They are not going to take that risk. #3 Because you just keep reporting numbers and offering no solutions, Everyone is pointing fingers at each other, which further delays the response. #4 Because you keep bringing back the same team year after year and doing the same things you always do, we have no idea if you are competent at your task. Brining in a new set of eyes by using a different company will show different things. That is why COMPETENT pen-testing companies do no more than 2 years in a row before suggesting that you use someone else. If a company is suggesting rotating pen-testing companies that is a good indication that they know what they are doing.

 

I had only been on the job for 6 months and had already pointed out several problems within the IT sphere. Unfortunately for me, I was young in my InfoSec career and did not know about how things like company culture would be a roadblock for my successes. I banged my head against a wall throwing good ideas after good ideas not realizing that, even though my security analysis was good and correct, the way I was presenting it was making IT look like fools so they were resistant to my good ideas and started building walls around it. They had the mentality that they were a small obscure federal agency (who only had about a billion in funds they were managing) so they weren't anybody's target. No one would even think to go after them. It wasn't until later, after I started in my Master's program that I learned about Organizational Culture and how I had to address that while making my suggestions, in order for them to accept them.

 

So I would ask, when selecting a pen-test company, what is their suggestion for length of contract? If they say over two years, I would be suspicious.

rslade
Influencer II


@viethanguyen wrote:
In case still consider you should go with Big4 (EY, KPMG, PwC, Delloitte) for not just pentest but more consultant 🙂

The Big $ (oh, sorry, I left my finger on the shift key too long, that should be Big 4)  are extremely good at finding problems in your security posture that can be addressed by consulting they can sell you ...

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Steve-Wilme
Advocate II

If you're EMEA based you could examine the CREST of CHECK list of companies

https://www.crest-approved.org/member-companies/index.html

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS