Penetration Tester Selection

[bestia]

Hi


We have a Web App on Server Running in a Data Centre

How does one go about selecting a penetration tester to test site

What certifications/experience should one look for ?

How do you ensure you actually get a pen test and not just a vulnerability scan ?

What reports should one expect to get ?

i know that i'm probably asking how long is a piece of string but what would you expect to pay for such a service ?

any other advice on selecting pen tester would be appreciated

[KMDave]

At first you should have a good feeling about the company doing that business. Ask for references, where they did pentests before, if and which securityflaws they have found.

Well if you are looking for a webapp pentester he should have experience in webbapp pentesting. There are so many certs out there, well I can't say just go by certs. There are a couple of certs just about the theory and/or management aspects not saying anything about their hands on knowledge. OSCP and OSCE are two certs where you can be sure that the person has at least some hands on experience and thinks outside the box (that is required in order to solve the exam challenge, especially for OSCE).

Well what is the difference for you between a pentest and vuln scan?

About the reports, that depends on the pentester/company you are hiring.
What do you expect yourself?
I'd say a detailed overview of the vulnerabilities, the consequences they have (i.e. data extraction possible) and ways to solve the issue for your IT department (if you have one).

That is what is coming directly to my mind. Might have some more ideas later on.

[Thorn]

How do you ensure you actually get a pen test and not just a vulnerability scan ?

It's pretty simple. A Vulnerability Assessment will simply be a list of possible vulnerabilities, that you will have to check out and prioritize. A full Pen Test will describe what vulnerabilities actually exist, and in what ways they are broken, and should tell you what things are critical to your business.

i know that i'm probably asking how long is a piece of string but what would you expect to pay for such a service ?

It depends on the scope (size of the web site, number of servers, on-site, vs. over the net, etc.) but VA will run $1k-5k USD, plus expenses, while a PT will probably run $25k-50k USD, plus expenses. (I'll let you do the conversion to AUD. ) VA will take a one to three days, a PT may take a couple of weeks.

Edit: BTW, let me know if it will be on site. My wife wants to see Australia, and if I can write some of it off as a business trip, so much the better.

[lupin]

How does one go about selecting a penetration tester to test site

Find some testers in your area (use Google) and send them out a request for quote. Pick a few. Be specific that you want a penetration test and not just a vulnerability assessment. They should respond with a proposal that includes pricing. Pick the one that sounds best.

I can give you the details of companies that do this in Canberra and Sydney if that helps, but I dont personally know any based in Melbourne (though Im sure they exist).

What certifications/experience should one look for ?

In the pen testing field in Australia I havent seen many testers who have specific pen testing certifications. Look for experience and references, stating that they have done the type of test you want performed.

How do you ensure you actually get a pen test and not just a vulnerability scan ?

First of all, ask for a penetration test in your request for a proposal and specify that vulnerabilities should be verified for exploitation. Look for language verifying this in the response.

What reports should one expect to get ?

Usually a draft report for you to review and then the final that includes your input. You can usually get raw test data too if you want it.

The report will usually contain a list of prioritised issues that they suggest you resolve (each given a risk rating), an Executive Summary, various pretty charts and Appendices that give details about exploitation methods that were used.

i know that i'm probably asking how long is a piece of string but what would you expect to pay for such a service ?

Depends on the complexity of the test, the company providing the quote AND the company asking for the quote, but going rate in Australia for a straightforward web pen testing engagement is usually from $12,000 to $19,000 AUD for a 10 business day engagement (including report preparation time).

any other advice on selecting pen tester would be appreciated

Look for evidence that they use a testing framework such as OWASP for the web pen testing process and perhaps OSSTMM for the other aspects of the tests. OSSTMM is maybe not so important for a web pen test (I think some of what v 3 of OSSTMM requires is overkill), but OWASP is very comprehensive and definitely recommended.

Also ask them how they go about the process of communicating the results. Some education for your web developers may be required if they dont have secure coding experience and if you havent had a test done before, so its good if the testers can communicate the results in a manner that is easily used by your developers and which doesnt put them off side. Dont expect them to fix the issues for you, but they should give you advice you can actually use to fix the problems they find.

Feel free to ask more as required.

[Gitsnik]

I agree with everything lupin says (IIRC he's based out of Sydney, I'm based out of Adelaide), so I guess I would just put forward a company I have heard of that apparantly do this sort of thing (actually a few).

Out of Sydney you have shearwater solutions - they're relativly new to the game, but I've seen some of their work and it comes close to meeting my own standards, you also have Pure Hacking - I hear mixed things about these people but they may be good.

Within Australia, as Lupin has mentioned, there are a few - there are two I am familiar with in Melbourne, neither of which will I recommend - outsourcing to Sydney is perhaps your better deal, though a lot of managers will probably want a face to face, and frankly I would agree with them.

[lupin]

I agree with everything lupin says (IIRC he's based out of Sydney, I'm based out of Adelaide),

Actually Canberra, although Im a little wary of admitting it because of Canberras reputation within the rest of Australia

Out of Sydney you have shearwater solutions - they're relativly new to the game, but I've seen some of their work and it comes close to meeting my own standards, you also have Pure Hacking - I hear mixed things about these people but they may be good.

Have had some dealings with Shearwater. They manage SANs training within Australia and do some other security consulting and sales work. They usually put forward Mark Hoffman for their Pen Testing Engagements, and he is quite experienced (He is a SANS incident handler and instructor).

Im aware of Pure Hacking, I briefly chatted to one of their guys at AusCERT 2008, and was considering OSSTMM training with them a year back but went with SANS GPEN instead. Havent gone to them specifically for Pen Testing, but that is their main business.

Other ones I know of that I could recommend would be Verizon Business, StratSec (they are a Canberra based company that recently merged with SIFT, who have some good web pen testers based out of Sydney) and Saltbush Assurance.

outsourcing to Sydney is perhaps your better deal, though a lot of managers will probably want a face to face, and frankly I would agree with them.

Yes, that was what I was considering as well, and why I hesitated to recommend the companies I had dealt with. If you're happy to do a meeting via Teleconference or via the phone, or one of the above companies will fly someone out to meet you (some do have Melbourne offices I think), then the companies I or Gitsnik suggested may be a viable option.

[Gitsnik]

Actually Canberra, although Im a little wary of admitting it because of Canberras reputation within the rest of Australia

Yeah... because Adelaide is sooooooo much better

[lupin]

Yeah... because Adelaide is sooooooo much better

Yeah true, but we are like Adelaide with Politicians. So we get the "theres nothing to do there" comments as well as getting the blame by association for anything stupid the Federal Government has done recently.

We dont even have fireworks any more! (But we still have the pr0n I guess....)