Thanks Dean. As always, your input is much appreciated. :-)
<Ajas Mohammed /> http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Tue, Jan 5, 2010 at 6:27 PM, Dean H. Saxe <[email protected]>wrote: > I spent the past 5 years doing pen testing for a living and there are > many, many companies out there performing this service. You get what > you pay for! So ask yourself this question: What do I want to know > from a test? Do you want to know what can be found by a machine > running automated scans, which will likely miss things like > authorization flaws and stored cross-site scripting (cheapest, > includes a test of the server the code runs on)? Do you want a human > to test the site thoroughly only finding what can be discovered > remotely (mid-range, includes a test of the server the code runs on)? > Do you want a code review to discover all code-level vulnerabilities > and suggest fixes (most expensive, most detailed, lacks any review of > server configuration). Also, why do you need a test? If you are > seeking PCI compliance, you need to find a vendor who can offer PCI > specific services. > > For a reputable company to do a manual pen test, you can expect to pay > $10 - $15k/week of testing. Most small sites can be tested in a week, > two tops. Larger sites may require many weeks of assessment. A code > review will run you about the same, but the timeframes are longer. > Figure 1 week for 10KLOC of code, 3 weeks for 50KLOC of code and > beyond that expect a good vendor to want to do a threat model first so > the code review can be more narrowly scoped. > > So who would I recommend to do your testing? Here are some reputable > companies that I would hire based on personal knowlege of their > testing teams: > > Intrepidus Group > Foundstone, A Division of McAfee > VerSprite (a local ATL based company) > WhiteHat (a SaaS model, not a one-time targeted test) > > I won't publicly state who I won't hire... but there are a lot of mom > & pop type infosec shops out there that are not worth a damn. There > are a lot of consultancies that are large... but not very good. > > Hope this helps! > -dhs > -- > Dean H. Saxe > "A true conservationist is a person who knows that the world is not > given by his fathers, but borrowed from his children." -- John James > Audubon > > > > On Tue, Jan 5, 2010 at 1:35 PM, Ajas Mohammed <[email protected]> wrote: > > Hi, > > > > I have heard of http://www.coresecurity.com/ who do security testing for > web > > applications etc. Does anyone know of this company or any similar > companies > > who do security/penetration tests for web applications. Needless to say, > our > > applications are CF based. > > > > Is there anything to worry about or to be aware of, since these people if > > hired, perform penetration testing on the production sites, which of > course > > would be on weekends. > > > > Thanks, > > > > <Ajas Mohammed /> > > http://ajashadi.blogspot.com > > We cannot become what we need to be, remaining what we are. > > No matter what, find a way. Because thats what winners do. > > You can't improve what you don't measure. > > Quality is never an accident; it is always the result of high intention, > > sincere effort, intelligent direction and skillful execution; it > represents > > the wise choice of many alternatives. > > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > >
