On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alte...@alter3d.ca> wrote: > In general, my experience with most "pen testers" is a severe disappointment, > and isn't anything that couldn't be done in-house by taking the person in > your department who has the most ingrained hacker/geek personality, giving > them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and > saying "Find stuff we don't know about. Go.". There is the occasional pen > tester who is absolutely phenomenal and does the job properly (i.e. the guys > who actually write their own shellcode, etc), but the vast majority of "pen > testers" just use automated tools and call it a day. Like everything else in > IT, security has been "commercialized" to the point where finding really good > vendors/people is hard, because everyone and their mom has CEH, CISSP, and > whatever other alphabet soup certifications you can imagine.
There are definitely a number of incredible pen-testers out there. But I agree with Peter… If you end up with a "report" that's nothing more than an executive statement pasted at the top of a Nessus report, then you've wasted your money. To be honest, I'd recommend getting a sample report from the company and quiz them on it before committing to a contract with them. --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
