The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact email@example.com.
first of all, my company's main line of business is penetration testing,
so I can probably give a detailed picture of this field but will do my
best to stick to list guidelines regarding promoting business.
With that out of the way:
What Brad Stone describes is unfortunately a well-known problem with a
significant portion of service providers, especially when:
- The provider relies only on automated vulnerability scanning tools
(not designed to the Midrange world)
- The "penetration test" is just a checkmark on the audit sheet, and the
client basically wants to just get over with it (for which running a
scan with zero expert review is probably the easiest way)
Now this is not what penetration testing should be about. During a
proper engagement, testers will:
- Get an understanding about what the target system does and how it does
it, so they can focus on the actual _security_boundaries_ that have to
- Map the attack surface of the system. This is where automated scanning
can play an important role, but it should not be the only way
information is obtained.
- Collect vulnerability information and test for vulnerable
configurations (e.g. default passwords don't have a CVE).
- Execute tests to discover vulnerabilities in the implementations of
custom system components.
- *Try to exploit vulnerabilities* in order to inform risk assessment.
- Report *distilled information*, filtering out irrelevant findings
(e.g. HTTP headers only important for Facebook, but not for your
internal accounting). Providing guidance about the resolution of the
identified issues is usually part of the package.
As for specific concerns raised originally by James H. H. Lampert:
"Program testing can be used to show the presence of bugs, but never to
show their absence." - Edgar J. Dijkstra
This is of course true for penetration testing too. In my experience
(proper) pentesting is useful because:
- It will find vulnerabilities that attackers could actually use
- It puts sunlight on sometimes forgotten places that need more
attention from security. As Halvar Flake said: "The only person in
computing that is paid to actually understand the system from top to
bottom is the attacker"
- Finds vulnerabilities even the vendor doesn't know about
"You can't argue with a root shell" - FX
(Proper) pentest results are generally solid. We tend to report
uncertain findings, explicitly marking them as such as a guidance for
more targeted assessments (see my second point above).
We also have to report potential compliance issues (think obsolete TLS
protocol versions), because compliance violation is a business risk...
Good pentesters highlight the actual severity of such findings in their
"I don't have a quote for this" - Me
I'm not sure I understand Brad here, but I'm not aware of any pentesters
charging per finding. Fees are preliminary determined and are usually
dependent of system complexity (that can mean different parameters with
different targets). So this is a fixed cost, usually calculated based on
daily rates (at the end of the day we are consultants).
The tricky part is deciding if you spend a fixed sum for something that
can prevent an uncertain future loss. In this regard I would argue that
pentests help keeping the system tidy, even if there would be no breach.
Experience also shows that companies that experienced a breach tend to
become returning customers even after the exploited holes were patched
For the effectiveness part: one mistake people commonly make is looking
at daily rates, while a seasoned expert for double the price can easily
be 3x more effective than a junior.
I could keep on detailing the ins and outs of project planning,
execution and evalutation, but I'd rather tell you to feel free to post
any specific questions to this thread, I will keep an eye on it!
Have a nice day,
As an Amazon Associate we earn from qualifying purchases.
This thread ...
RE: Does anybody here have any experience with penetration testing services?, (continued)
This mailing list archive is Copyright 1997-2023 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.