[Chugalug] penetrate me!

Christopher Rimondi chris.rimondi at gmail.com
Thu Mar 27 13:34:59 UTC 2014


Unfortunately it is probably just due diligence and who you have perform it
will not be as important as that you had it done. If your client has
someone who mildly knows what they are doing they may look at the scope of
the test. Without knowing more information about your situation the things
I would look at when hiring someone like this are their experience,
references, insurance, etc...

I will give Stephen Haywood a good recommendation FWIW.


On Thu, Mar 27, 2014 at 8:58 AM, Joseph Simoneau
<joseph.simoneau at gmail.com>wrote:

> If it'll satisfy your requirements for professionalism, I can get in
> contact with the greyhat club at Georgia tech.
>
> We're all students, mostly undergrads, but I'm sure we'd love to put a
> team together for travel (if necessary, not sure what scenarios you're
> looking at), possibly a pittance, and resume fodder.
>
> Some of us definitely know what we're doing; some have interned or
> co-op'd; and graduates tend to get hired by firms like PWC and BishopFox.
>
> If you're interested, send me some information, and I'll ask for interest
> at the meeting tonight.
>
> -js
> Our "network administrator" at the main office quit over a year ago and a
> replacement was never hired.
> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>
> Our "network administrator" at our "NOC" quit over a year ago and never
> got replaced.
> www.linkedin.com/in/mlaman
>
> Our "phone system guy" quit a year ago, a replacement was hired, but I've
> seen him, like, once.  When the phone/fax systems goes down, they call ME.
> http://www.linkedin.com/profile/view?id=49461976
>
> So guess what?  I and one of the other programmers on my team inherited
> all these extra support duties (without a single f'ing penny of a pay
> raise, mind you).
>
> We inherited hardware and software that hasn't been updated in years
> (insert career-damaging-but-painfully-true
> my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment here)
>
> We know basic firewall, iptables, am mindful of sql injection, can
> install/run/monitor virus scanners etc, but we are not security experts nor
> do we play one on t.v.
>
> If this situation wasn't stressful enough, it has now come to a boil as a
> potential (big!) client "demands" proof of pen testing before they will let
> us host their data.    At this point I'm spread way to thin and told my
> boss today that he needs to crack open that wallet and hire an outside pen
> tester.    Anyone on the list "qualified" to do it?    Willing to work for
> peanuts?
>
> What defines a qualified pen tester?  I see what appears to be "free"
> software I could download and run myself, if I was inclined to take on more
> responsibility w/o pay.    I suppose this free software would be a "good
> start" but is a pen test done by an "internal" employee good enough for the
> client, I doubt it.
>
>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 
Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140327/5fb10f0f/attachment.html>


More information about the Chugalug mailing list