Penetration Testing is the final word in proving that technical compliance and good security practices are in place – or so it should be. What is the impact on quality if the consultant is overworked? The trouble with asking questions like these is that there’s no tick box to check when choosing your supplier. Is it good quality for the consultant to do a quick portscan, and not cover all 65k ports for example? Doing a full port scan takes time, and usually turns up nothing, a quick portscan wouldn’t find. Is it good quality, to identify ‘autocomplete’ on an application as low risk, because that’s the standard classification, without taking in to account the context of the application and the business – e.g. a banking application?<\/p>\n","protected":false},"excerpt":{"rendered":"
Is it reasonable to assume that an expert at testing Solaris, AIX, and other Unix flavours is also going to be equally as good on Windows? The truth is that most consultants have favourite platforms which they know at a deep level, and are either just competent or even incompetent with other platforms. Just as you wouldn’t use a tractor on a racetrack, or a Ferrari in a field, you wouldn’t put a Unix expert on a windows test, or an Oracle expert on a MSSQL assignment.<\/p>\n
Consultants hate report writing The secret is out – consultants hate writing reports. You don’t ‘see’ the assessment – you see the report! The report IS the deliverable Remember, it is the Executive Summary that you will show to your manager, the remediation ad-vice that you will give to your team, and the classified vulnerabilities that your auditor will review.<\/p>\n
The Methodology No doubt you’ve read, or at least skimmed through the “Methodology” paper on your suppliers web site, or their glossy brochure. It is designed to demonstrate a deep understanding of the assessment process. A consultant can do an excellent job without following the company methodology, but by not having a structure to work with, there is a good chance the results will be inconsistent at best, and dangerously incomplete at worst. It’s easy to wheel in a star consultant to win the business, but follow through with a trainee.<\/p>\n
Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account.<\/p>\n
http:\/\/www.it-observer.com\/articles\/1308\/avoid_wasting_money_penetration_testing\/<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-165","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=165"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/165\/revisions"}],"predecessor-version":[{"id":2652,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/165\/revisions\/2652"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}