Penetration Testing

scud

Senior Member
Joined
Sep 1, 2005
Messages
892
Can anyone recommend a local company that does penetration testing , GAP assessment etc ?
Thanks
 

scud

Senior Member
Joined
Sep 1, 2005
Messages
892
And just pen testing ? KPMG sounds a bit expensive.
Just need to pen test one of our servers for compliance , there must be someone local who offers this service .
I have googled , there are a few , but I would really like a recommendation
 

OCP

Expert Member
Joined
Jan 23, 2014
Messages
3,104
You asked who did - you didn't ask if they were cheap ;-)

I know of a few more - will give details tomorrow when back at my desk.
 

Barbarian Conan

Expert Member
Joined
Aug 8, 2017
Messages
1,207
Sensepost

Their reports were very good last time I was involved with a product they tested it. On the other hand, another company that I thought was more finance oriented (I don't remember who), gave some pretty generic and overall useless recommendations.
 

rpm

Admin
Staff member
Joined
Jul 22, 2003
Messages
64,726
Sensepost - Highly trained security guys, and nice too.
 

@udiS3

Senior Member
Joined
Feb 4, 2008
Messages
503
Sensepost - they are good.

If you have some technical skill within your organisation - run a few open source scan tools against the server and app before hand. This will allow you to fix a lot of the issues and save a lot of money before getting a vendor involved.

Nessus/OpenVAS - check the server.

OWASP Zap - check the web application.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,317
You just want to look at one server? Is this server domain joined? What other systems communicate to that server? you may want to do a full penetration test on the network. Do you want a penetration test or just a compliance review? Those are two different things. Depending on what type of compliance testing you want done I am sure Nessus can do it. Nessus uses the CIS benchmarks https://www.cisecurity.org/cis-benchmarks/ so if your OS is Microsoft Windows 2012 R2 for example there there level 1 and 2 benchmarks for that.
 

MervinPearce

New Member
Joined
Jun 20, 2007
Messages
6
No offence taken. :) Many get SACS.co.za confused with SACS.ac.za School in the Cape
It is important to understand the difference also between some large companies selling PenTest dressed in Vulnerability Assessment. Lots of manual processes are required.

Regards
Mervin
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,270
I test my penetration often.

Depending on your cup size I'm sure we could make an arrangement.
 

EMAM

Honorary Master
Joined
Nov 16, 2012
Messages
11,221
Every time I see this topic come up in my threads, I'm soooooooo tempted.....

But I'll behave!

Anyway, clickbait title
 

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,185
And just pen testing ? KPMG sounds a bit expensive.
Just need to pen test one of our servers for compliance , there must be someone local who offers this service .
I have googled , there are a few , but I would really like a recommendation
You can't really take this approach. The really good hackers will use anything and everything to try and get into your server if they are determined enough.
Therefore not only is physical security, but the security of the technology components that surround the server, of paramount importance.

Also, you need a team of specialists, rather than just a single person. People think differently from each other, so it's best to get a team of people that will try a variety of methods to breach, which the others have possibly not thought of.

This is not a small exercise, where you can target a single server and say "we're safe". That's a placebo effect and won't have the result you're actually looking for.
 
Top