ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Pentest - Who would you recommend?

    IT Discussion
    8
    48
    4.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottalanmiller @Deleted74295
      last edited by

      @Breffni-Potter said in Pentest - Who would you recommend?:

      @Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...their culture is really poor, they've kept making mistakes on ISP projects, support failures and for one client, Claranet actually held their service to ransom by switching off the connection before a migration to a competitor, the client buckled and re-signed for 2 years and within 10 minutes the service was back up.

      Sec-1 might just be owned by Claranet and they are fantastic on their own but its a bit like LogMeIn owning LastPass, LastPass is great, LogMeIn, not so much.

      @Jimmy9008 - Yep, it was a response to a breach. A specific requirement was zero pen-test but all other reports are similar, we looked here, tried this, found this, fix it this way.

      So... an MSP/VAR?

      1 Reply Last reply Reply Quote 0
      • S
        scottalanmiller @Carnival Boy
        last edited by

        @Carnival-Boy said in Pentest - Who would you recommend?:

        @IRJ said in Pentest - Who would you recommend?:

        You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

        Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

        One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

        Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

        Both are valuable, but one tells you a lot more, typically.

        I 1 Reply Last reply Reply Quote 1
        • S
          scottalanmiller @Carnival Boy
          last edited by

          @Carnival-Boy said in Pentest - Who would you recommend?:

          That's not what I'm asking. I'm asking how does an assessment find out if your applications are vulnerable to SQL injection?

          Literally, how, if not by pen testing them?

          Pen testing doesn't even apply. You test SQL Injection risk by looking at the code. Code audit is the only reliable test for injection attack vectors and is a very standard thing.

          1 Reply Last reply Reply Quote 3
          • I
            IRJ @scottalanmiller
            last edited by

            @scottalanmiller said in Pentest - Who would you recommend?:

            @Carnival-Boy said in Pentest - Who would you recommend?:

            @IRJ said in Pentest - Who would you recommend?:

            You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

            Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

            One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

            Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

            Both are valuable, but one tells you a lot more, typically.

            Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

            S 1 Reply Last reply Reply Quote 3
            • S
              scottalanmiller @IRJ
              last edited by

              @IRJ said in Pentest - Who would you recommend?:

              @scottalanmiller said in Pentest - Who would you recommend?:

              @Carnival-Boy said in Pentest - Who would you recommend?:

              @IRJ said in Pentest - Who would you recommend?:

              You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

              Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

              One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

              Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

              Both are valuable, but one tells you a lot more, typically.

              Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

              Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

              I 2 Replies Last reply Reply Quote 2
              • I
                IRJ @scottalanmiller
                last edited by

                @scottalanmiller said in Pentest - Who would you recommend?:

                @IRJ said in Pentest - Who would you recommend?:

                @scottalanmiller said in Pentest - Who would you recommend?:

                @Carnival-Boy said in Pentest - Who would you recommend?:

                @IRJ said in Pentest - Who would you recommend?:

                You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                Both are valuable, but one tells you a lot more, typically.

                Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                absolutely, and just like any company trying to sell you something, you will probably get both if you aren't sure what you are asking for

                1 Reply Last reply Reply Quote 1
                • I
                  IRJ @scottalanmiller
                  last edited by

                  @scottalanmiller said in Pentest - Who would you recommend?:

                  @IRJ said in Pentest - Who would you recommend?:

                  @scottalanmiller said in Pentest - Who would you recommend?:

                  @Carnival-Boy said in Pentest - Who would you recommend?:

                  @IRJ said in Pentest - Who would you recommend?:

                  You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                  Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                  One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                  Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                  Both are valuable, but one tells you a lot more, typically.

                  Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                  Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                  Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    Jimmy9008 @IRJ
                    last edited by

                    @IRJ said in Pentest - Who would you recommend?:

                    @scottalanmiller said in Pentest - Who would you recommend?:

                    @IRJ said in Pentest - Who would you recommend?:

                    @scottalanmiller said in Pentest - Who would you recommend?:

                    @Carnival-Boy said in Pentest - Who would you recommend?:

                    @IRJ said in Pentest - Who would you recommend?:

                    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                    Both are valuable, but one tells you a lot more, typically.

                    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                    Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                    We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                    NattNattN I 2 Replies Last reply Reply Quote 1
                    • NattNattN
                      NattNatt @Jimmy9008
                      last edited by

                      @Jimmy9008 said in Pentest - Who would you recommend?:

                      @IRJ said in Pentest - Who would you recommend?:

                      @scottalanmiller said in Pentest - Who would you recommend?:

                      @IRJ said in Pentest - Who would you recommend?:

                      @scottalanmiller said in Pentest - Who would you recommend?:

                      @Carnival-Boy said in Pentest - Who would you recommend?:

                      @IRJ said in Pentest - Who would you recommend?:

                      You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                      Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                      One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                      Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                      Both are valuable, but one tells you a lot more, typically.

                      Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                      Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                      Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                      We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                      Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.

                      J I 2 Replies Last reply Reply Quote 1
                      • J
                        Jimmy9008 @NattNatt
                        last edited by

                        @NattNatt said in Pentest - Who would you recommend?:

                        @Jimmy9008 said in Pentest - Who would you recommend?:

                        @IRJ said in Pentest - Who would you recommend?:

                        @scottalanmiller said in Pentest - Who would you recommend?:

                        @IRJ said in Pentest - Who would you recommend?:

                        @scottalanmiller said in Pentest - Who would you recommend?:

                        @Carnival-Boy said in Pentest - Who would you recommend?:

                        @IRJ said in Pentest - Who would you recommend?:

                        You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                        Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                        One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                        Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                        Both are valuable, but one tells you a lot more, typically.

                        Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                        Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                        Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                        We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                        Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.

                        Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.

                        Internally, nobody has admin access, only IT have creds that can be admin and elevate when approved. Servers only allow 3389 on the LAN from specific IPs on our network. Creds have to be changed regularly for all users, including domain admin accounts. Workstations likewise use internal WSUS for updates, and are behind proxy for content inspection/etc.

                        Even so, the test is still:

                        • Out name is xyz. Document what you try, and what was successful.

                        Or does nowhere offer that?

                        C S 3 Replies Last reply Reply Quote 1
                        • I
                          IRJ @Jimmy9008
                          last edited by

                          @Jimmy9008 said in Pentest - Who would you recommend?:

                          @IRJ said in Pentest - Who would you recommend?:

                          @scottalanmiller said in Pentest - Who would you recommend?:

                          @IRJ said in Pentest - Who would you recommend?:

                          @scottalanmiller said in Pentest - Who would you recommend?:

                          @Carnival-Boy said in Pentest - Who would you recommend?:

                          @IRJ said in Pentest - Who would you recommend?:

                          You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                          Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                          One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                          Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                          Both are valuable, but one tells you a lot more, typically.

                          Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                          Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                          Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                          We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                          I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            Jimmy9008 @IRJ
                            last edited by

                            @IRJ said in Pentest - Who would you recommend?:

                            @Jimmy9008 said in Pentest - Who would you recommend?:

                            @IRJ said in Pentest - Who would you recommend?:

                            @scottalanmiller said in Pentest - Who would you recommend?:

                            @IRJ said in Pentest - Who would you recommend?:

                            @scottalanmiller said in Pentest - Who would you recommend?:

                            @Carnival-Boy said in Pentest - Who would you recommend?:

                            @IRJ said in Pentest - Who would you recommend?:

                            You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                            Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                            One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                            Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                            Both are valuable, but one tells you a lot more, typically.

                            Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                            Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                            Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                            We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                            I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?

                            If they can get in using their various techniques... that shows the vulnerability.

                            I S 2 Replies Last reply Reply Quote 0
                            • C
                              Carnival Boy @Jimmy9008
                              last edited by

                              @Jimmy9008 said in Pentest - Who would you recommend?:

                              Or does nowhere offer that?

                              Of course. I've already recommended one company that offers this.

                              1 Reply Last reply Reply Quote 1
                              • I
                                IRJ @Jimmy9008
                                last edited by

                                @Jimmy9008 said in Pentest - Who would you recommend?:

                                @IRJ said in Pentest - Who would you recommend?:

                                @Jimmy9008 said in Pentest - Who would you recommend?:

                                @IRJ said in Pentest - Who would you recommend?:

                                @scottalanmiller said in Pentest - Who would you recommend?:

                                @IRJ said in Pentest - Who would you recommend?:

                                @scottalanmiller said in Pentest - Who would you recommend?:

                                @Carnival-Boy said in Pentest - Who would you recommend?:

                                @IRJ said in Pentest - Who would you recommend?:

                                You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                                Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                                One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                                Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                                Both are valuable, but one tells you a lot more, typically.

                                Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                                Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                                Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                                We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                                I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?

                                If they can get in using their various techniques... that shows the vulnerability.

                                You aren't understanding what I am saying. Look at the door analogy by @scottalanmiller again. Proving you can break through the door does not expose all the possible ways to breach the door. It only shows one way. Generally a pen tester will give you the vuln assessment he/she performs while trying to find an attack vendor which is great. However, if this a black box or grey box pen test, they have less visibility then you would have internally. So their security assessment would be incomplete.

                                1 Reply Last reply Reply Quote 2
                                • I
                                  IRJ @NattNatt
                                  last edited by

                                  @NattNatt said in Pentest - Who would you recommend?:

                                  @Jimmy9008 said in Pentest - Who would you recommend?:

                                  @IRJ said in Pentest - Who would you recommend?:

                                  @scottalanmiller said in Pentest - Who would you recommend?:

                                  @IRJ said in Pentest - Who would you recommend?:

                                  @scottalanmiller said in Pentest - Who would you recommend?:

                                  @Carnival-Boy said in Pentest - Who would you recommend?:

                                  @IRJ said in Pentest - Who would you recommend?:

                                  You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                                  Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                                  One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                                  Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                                  Both are valuable, but one tells you a lot more, typically.

                                  Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                                  Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                                  Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                                  We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                                  Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.

                                  Which much more likely than an external attack....

                                  1 Reply Last reply Reply Quote 1
                                  • s.hacklemanS
                                    s.hackleman
                                    last edited by

                                    I used to use Trustwave for external PCI pen testing. They were a solid meh. It let me fill in the box that we had been externally scanned for vulnerabilities from a third party on our self assessment. That being said if they found anything that needed attention they would never give any advice or talk with me, just hand me a report with a yellow or red dot on it, and tell me I can request another scan after updating my config. I'm assuming to cover their asses, but it was frustrating that they were so close lipped for the amount of money we were giving them.

                                    I Deleted74295D 2 Replies Last reply Reply Quote 1
                                    • I
                                      IRJ @s.hackleman
                                      last edited by

                                      @s.hackleman said in Pentest - Who would you recommend?:

                                      I used to use Trustwave for external PCI pen testing. They were a solid meh. It let me fill in the box that we had been externally scanned for vulnerabilities from a third party on our self assessment. That being said if they found anything that needed attention they would never give any advice or talk with me, just hand me a report with a yellow or red dot on it, and tell me I can request another scan after updating my config. I'm assuming to cover their asses, but it was frustrating that they were so close lipped for the amount of money we were giving them.

                                      Unfortunately, that is pretty standard. That is why the SOW is so important.

                                      1 Reply Last reply Reply Quote 1
                                      • Deleted74295D
                                        Deleted74295 Banned @s.hackleman
                                        last edited by Deleted74295

                                        @s.hackleman said in Pentest - Who would you recommend?:

                                        I used to use Trustwave for external PCI pen testing.

                                        PCI compliance is an absolute joke. As are the auditors who charge money to "test" for compliance.

                                        How to be compliant really quickly?

                                        • Get second internet connection, All ports in blocked.
                                        • Place PCI traffic onto that internet connection and isolate it on its own network.
                                        • Ask to run the test, success, you passed.
                                        s.hacklemanS 1 Reply Last reply Reply Quote 2
                                        • s.hacklemanS
                                          s.hackleman @Deleted74295
                                          last edited by

                                          @Breffni-Potter said in Pentest - Who would you recommend?:

                                          @s.hackleman said in Pentest - Who would you recommend?:

                                          I used to use Trustwave for external PCI pen testing.

                                          PCI compliance is an absolute joke. As are the auditors who charge money to "test" for compliance.

                                          How to be compliant really quickly?

                                          • Get second internet connection, All ports in blocked.
                                          • Place PCI traffic onto that internet connection and isolate it on its own network.
                                          • Ask to run the test, success, you passed.

                                          External testing for low levels sure, but SAQ-B for a company that holds credit card numbers and does charges to recover losses to those cards is a whole different ball game. I took my job quite seriously.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            scottalanmiller @Jimmy9008
                                            last edited by

                                            @Jimmy9008 said in Pentest - Who would you recommend?:

                                            @IRJ said in Pentest - Who would you recommend?:

                                            @Jimmy9008 said in Pentest - Who would you recommend?:

                                            @IRJ said in Pentest - Who would you recommend?:

                                            @scottalanmiller said in Pentest - Who would you recommend?:

                                            @IRJ said in Pentest - Who would you recommend?:

                                            @scottalanmiller said in Pentest - Who would you recommend?:

                                            @Carnival-Boy said in Pentest - Who would you recommend?:

                                            @IRJ said in Pentest - Who would you recommend?:

                                            You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

                                            Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

                                            One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

                                            Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

                                            Both are valuable, but one tells you a lot more, typically.

                                            Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

                                            Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

                                            Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

                                            We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

                                            I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?

                                            If they can get in using their various techniques... that shows the vulnerability.

                                            But what if they can't get in? Breaking in only shows a weakness, it doesn't expose the "how".

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post