pen testing rfp
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
pen testing rfp
by John Bennett-3
::
Rate this Message:
I am preparing a penetration testing RFP and have come up with a list of
questions. Anybody see anything they think should be included?? So far I have: *ability to test web applications, webservices or any internet facing application *ability to provide detailed reporting with POC exploits *include at least one re-test to confirm mitigation efforts were successful *ability to interface with developers/application owners to discuss open vulnerabilities in detail and help guide mitigation *ability to provide attestation letter for various compliance requirements and the ability to produce a 'good guy' letter for customer audits *have a turn around time from quote to report submission of 1 month *Ability to create our own testing schedule and times *Contact business owner/application owner before compromising systems with suspected exploits and notification of 'urgent' vulnerabilities found *Have documented cleanup/post mortem plan as part of post testing process *Have the ability to provide tiered service and flexible pricing based on the complexity of the application. *Have the ability to do a vulnerability assessment versus penetration test for lower tier applications at a significantly reduced cost *Highly skilled staff with industry recognized certifications *ability to provide trending reports *ability to retest as as often as desired *ability to provide an interface developers/application owners can *'portal' like access to check results or launch retest *Have the ability to routinely test 20+ applications on a continuous basis thanks! ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: pen testing rfp
by Shohn Trojacek
::
Rate this Message:
What sort of attestation letter were you thinking?
On Mon, Oct 19, 2009 at 1:32 PM, John Bennett <john@...> wrote: > I am preparing a penetration testing RFP and have come up with a list of > questions. Anybody see anything they think should be included?? > > So far I have: > *ability to test web applications, webservices or any internet facing > application > *ability to provide detailed reporting with POC exploits > *include at least one re-test to confirm mitigation efforts were > successful > *ability to interface with developers/application owners to discuss open > vulnerabilities in detail and help guide mitigation > *ability to provide attestation letter for various compliance > requirements and the ability to produce a 'good guy' letter for customer > audits > *have a turn around time from quote to report submission of 1 month > *Ability to create our own testing schedule and times > *Contact business owner/application owner before compromising systems > with suspected exploits and notification of 'urgent' vulnerabilities > found > *Have documented cleanup/post mortem plan as part of post testing > process > *Have the ability to provide tiered service and flexible pricing based > on the complexity of the application. > *Have the ability to do a vulnerability assessment versus penetration > test for lower tier applications at a significantly reduced cost > *Highly skilled staff with industry recognized certifications > *ability to provide trending reports > *ability to retest as as often as desired > *ability to provide an interface developers/application owners can > *'portal' like access to check results or launch retest > *Have the ability to routinely test 20+ applications on a continuous > basis > > thanks! > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
