[GLLUG] Penetration Test

Brad Fears brad@mtsdev.com
24 Jan 2003 23:28:30 -0500


I'll second that.  The department I work for (state gov't, go figure)
almost contracted EDS to conduct similar penetration tests for some of
our servers.  EDS wanted $50K for two weeks of testing and reporting.  I
was able to conduct the same level of testing with mostly open source
software and a little creativity.  Given, not every company is as
ridiculously priced as EDS, but in most cases, you can avoid
professional testing altogether with a little investigation of your
own.  Besides that, most companies that provide these types of services
never offer much of an explanation about the nature of vulnerabilities,
so you won't learn how to maintain a proper level of security as your
infrastructure grows.

--Brad Fears


On Fri, 2003-01-24 at 11:54, Hampton, Rodney wrote:
> In short, don't hire a company until you've done your homework and gotten
> the basics out of the way.  Make sure the penetration test you contract is
> exposing things that you couldn't have discovered on your own.
> 
> My 0.02
> 
> 
> 
> 
> Rodney Hampton
> (sorry abou the HTML mail)
> 
> -----Original Message-----
> From: Suzanne Reiner [mailto:sreiner@fnba.com]
> Sent: Friday, January 24, 2003 10:39 AM
> To: linux-user@egr.msu.edu
> Subject: [GLLUG] Penetration Test
> 
> 
> We're in the market for penetration testing.  If anyone knows of a reliable
> company, I'm all ears.  FYI:  we will need detailed reporting (high-level
> for the suits and tech detail for IT) with recommendations.  Familiarity
> with banking/OCC proceedures a plus but, not necessary.
> 
> Cheers,
> 
> Suzanne
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
> 
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user