I spent the past 5 years doing pen testing for a living and there are many, many companies out there performing this service. You get what you pay for! So ask yourself this question: What do I want to know from a test? Do you want to know what can be found by a machine running automated scans, which will likely miss things like authorization flaws and stored cross-site scripting (cheapest, includes a test of the server the code runs on)? Do you want a human to test the site thoroughly only finding what can be discovered remotely (mid-range, includes a test of the server the code runs on)? Do you want a code review to discover all code-level vulnerabilities and suggest fixes (most expensive, most detailed, lacks any review of server configuration). Also, why do you need a test? If you are seeking PCI compliance, you need to find a vendor who can offer PCI specific services.
For a reputable company to do a manual pen test, you can expect to pay $10 - $15k/week of testing. Most small sites can be tested in a week, two tops. Larger sites may require many weeks of assessment. A code review will run you about the same, but the timeframes are longer. Figure 1 week for 10KLOC of code, 3 weeks for 50KLOC of code and beyond that expect a good vendor to want to do a threat model first so the code review can be more narrowly scoped. So who would I recommend to do your testing? Here are some reputable companies that I would hire based on personal knowlege of their testing teams: Intrepidus Group Foundstone, A Division of McAfee VerSprite (a local ATL based company) WhiteHat (a SaaS model, not a one-time targeted test) I won't publicly state who I won't hire... but there are a lot of mom & pop type infosec shops out there that are not worth a damn. There are a lot of consultancies that are large... but not very good. Hope this helps! -dhs -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Tue, Jan 5, 2010 at 1:35 PM, Ajas Mohammed <[email protected]> wrote: > Hi, > > I have heard of http://www.coresecurity.com/ who do security testing for web > applications etc. Does anyone know of this company or any similar companies > who do security/penetration tests for web applications. Needless to say, our > applications are CF based. > > Is there anything to worry about or to be aware of, since these people if > hired, perform penetration testing on the production sites, which of course > would be on weekends. > > Thanks, > > <Ajas Mohammed /> > http://ajashadi.blogspot.com > We cannot become what we need to be, remaining what we are. > No matter what, find a way. Because thats what winners do. > You can't improve what you don't measure. > Quality is never an accident; it is always the result of high intention, > sincere effort, intelligent direction and skillful execution; it represents > the wise choice of many alternatives. > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
