Penetration Tests

skinnyl · 24 Feb 2016 at 15:49

Hi all,

I've taken a bit of a punt on where to put this, so apologies if it's inappropriate - please move if applicable.

The company I work for has developed, internally, a private 'data portal' for clients to log in and download reports. It is in the form of an externally hosted website. As part of the sign off process, a particular client has asked if it's been Pentested - it hasn't. Whilst I understand the premise, I'm a bit out of my depth with the companies that offer the service - as I haven't heard of any of them.

Are there any de facto suppliers of this service? Just keen to spend the money on a recognisable 'certificate' if possible.

Any nudges in the right direction would be appreciated.

Cheers.

gman1981 · 24 Feb 2016 at 19:19

NCC is big player in this market I think
https://www.nccgroup.trust/uk/our-services/security-consulting/security-and-penetration-testing/

Conanius · 24 Feb 2016 at 19:30

There are plenty of people who do this, but NCC are certainly a big part of the market for secure government IT Security Health Checks (pentesting).

Depending on the scale of the platform, you only really need to do checkers on a representative example, and then work through the issues on the rest of the environment.

The reality is you can simply use something like Nessus to look for vulns and have a good idea about it. The cost from checks is professional services on how to fix issues that you lack the skills to resolve yourself.

Terrier_Jimlad · 24 Feb 2016 at 19:39

We use Sec1 for our pen tests (NHS) but have a mate who works for NCC in the pen test field and they're very good

nutcase · 24 Feb 2016 at 19:52

We use Sec1 as well.

john_s · 25 Feb 2016 at 08:13

The company I work for use NCC. They seem to be thorough, but a bit inflexible from what I've seen.

skinnyl · 25 Feb 2016 at 09:39

Brilliant - thanks for the replies.

Will go and have a read through.

Ev0 · 25 Feb 2016 at 19:25

Conanius said:
The reality is you can simply use something like Nessus to look for vulns and have a good idea about it. The cost from checks is professional services on how to fix issues that you lack the skills to resolve yourself.

That will be a good start, but as we are all aware a vulnerability scan is not the same as a pen test

A vuln scan will show you some potential weaknesses, but a pen test should go deeper with more of the focus on trying to exploit something, and can often flag up things an automated scanner will not.

I've seen plenty of so called pen tests that have been tarted up vuln scan reports, if you're paying for a pen test then that's what you should be getting.

I would disagree on the comment that the cost of a test is high as it includes remediation advice/activities, never found that to be the case.

Have been involved with many of the testing companies in the past, two I'd recommend are Pen Test Partners and Portcullis, NCC as stated are another large company that offer the service.

To be honest take a look at the list of Crest registered companies and take your pick http://www.crest-approved.org/crest-member-companies/member-companies/index.html, they should all be more than capable.

WYNIR0 · 25 Feb 2016 at 19:59

We use MTI for ours currently. Very good. We're central government/law enforcement.