Penetration (Pen) testing

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi Guys,

from speaking to some of our clients pen testing is now becoming a quarterly or twice yearly service, and the costing of this is quite considerable. Thinking that we could offer a service like this easily, we are immediately faced with the problem of gauging what is required, and what the client report generally gets from these reports.

Does anyone have any previous experience of performing pen tests who could give me some pointers, or any old pen test reports (with company details removed) that they could provide me with?

Kind regards,
Asterix

 

Thanks mate, very useful - although it would still be very useful to get a few real world reports from different resources to review

 

Hmmmm i dont think we are at the stage where we are looking for training yet, more investigation, although the course does look interesting thanks

Thanks for the PM, ill keep my eyes open for any promotions

 

I have been a pen tester until very recently, for a short period, and whilst not currently a tester am still involved heavily. If you have any specific questions then fire away.

What I will say is that when people are looking for someone to perform tests for them if they are generally looking for the big/main pen testing certs that are recognised by government/cesg, in this country anyway, if you're offering this as a service to customers.

http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

You're talking Check, CREST or Tigerscheme which can both get you Check equivalent status. Anything else isn't worth looking at to be taken seriously imho, and even then I know Tigerscheme isn't looked upon too favourably by a lot of the leading companies as you can just go on a course for it, but it's a potentially easier route to Check status....

Imho CREST is the one to have, start off as a registered tester before moving up to certified tester.

I was planning on the CREST route until I changed jobs, liked the work though and would still like to be doing it....

You might struggle finding copies of real tests, not something companies usually want out in the wild ;)

What I'll say is there's a lot to testing, it's not just running a vuln scanner and nmap

There's more to it than just the technical skills, you've got the whole process from the initial engagement discussions, scoping, testing, reporting. Then depending on what kind of service you're offering you might also be involved in the remediation activities and then retesting.

As said any specific questions fire away.