How do you tell a good security company from a bad one? That is the problem, do you really know you are getting the experts you are paying for.
Businesses hire experts to do pen testing and audit their company to make sure that they are compliant. Yet a writer out at Snosoft has an impassioned article on one of their bloggers web sites on BlogSpot that talks about how to make sure that the customer is getting the value and the experts they are hiring. My own experience with outside experts is not positive, and we have a very high bar for the experts that we hire to test our network for us, both in the past at other jobs, and into the future.
When a customer hires a security professional to perform a Penetration Test, Web Application Security Assessment, or any other service that customer should be getting a real expert. That expert should be able to assess the customers target infrastructure, application, or whatever and should be able to determine points of vulnerability and their respective risks. But that is not what I am seeing. Source: Snosoft
Frankly, when I hire an expert they need to know more than I do about penetration testing, compliance, and how to break into a network. While I do not know everything, I’ll spot the flaws quickly in a vendors argument or product. That has been one of the reasons why most pentesting companies that pitch go out the door without a contract. You need to understand the business to make sure you are getting quality. Every company should have one really good pentester on board.
While vendors have been responsive to the work I do, which is fortunate, not every vendor is responsive. Not every security department or business manager understands what I am saying until I show them the issue. Security departments are the first ones to blow me off, until I show them the XSS or other flaw in their system, and then pull stuff or do pop-up’s that demonstrate what I am talking about.
The demonstration is the most important part, without it, I can talk vaguely about risk, but without showing off the risk, and doing a successful exploit, you will get the glazed eyes and nodding heads routine at the out brief. Then they get ticked off cause you pulled their database or did something else against their test server, and you spend hours explaining what it is you did and how you did it. Great for follow on work, not so good for the security department dealing with a vendor product or some in-house product. I am extraordinarily happy when I can demonstrate the risk, because many customers have gotten used to the nessus scan report being thrown over the wall as “you have issues” and the vendor walks away.
The problem is that most companies get a nessus or other scan report they paid six to twelve thousand dollars for, and no care and feeding or hand holding. This is what we expect when we pay for services, this is in some ways what the business wants, they expect it, and they desire it. A really good pentest shows them flaws and errors that might mean they have to spend money or resources to fix the problem. The customer might not like that, they don’t expect it, it is not what the business wants, and they don’t desire it.
With so many fly by night security companies setting the expectation bar low, it is difficult to get a company to understand what the issues are without a demo. If the pentester is not good enough to give a demo, it gets thrown under the carpet because the risks are not obvious. I am all for raising the quality bar in the information security field, everyone who participates should be able to do a decent pentest, but even some of the smarter companies have been unable to exploit or demonstrate risk, or missed risk entirely in a web application. That is part of the reason that uninformed or undertrained security companies can do so well, we already have a low bar and a low expectation set from the pentest companies that come in to our businesses. If we had really good pentesters and security companies out there, business would have a fit because they would find out just how ill prepared they really are.