[Chugalug] penetrate me!

Ed King chevyiinova at bellsouth.net
Thu Mar 27 15:49:33 UTC 2014


as of this morning I was told to not spend any more time finding a pen tester.    

I predict, 2 weeks from now, I'll be asked "have you found a pen tester yet?!"

my. brain. is. melting.



________________________________
 From: Stephen Kraus <ub3ratl4sf00 at gmail.com>
To: Chattanooga Unix Gnu Android Linux Users Group <chugalug at chugalug.org> 
Sent: Thursday, March 27, 2014 10:15 AM
Subject: Re: [Chugalug] penetrate me!
 


Man, sounds like the company I'm working for: All the IT got left by the wayside and was in a mess when I came in.



On Thu, Mar 27, 2014 at 9:34 AM, Christopher Rimondi <chris.rimondi at gmail.com> wrote:

Unfortunately it is probably just due diligence and who you have perform it will not be as important as that you had it done. If your client has someone who mildly knows what they are doing they may look at the scope of the test. Without knowing more information about your situation the things I would look at when hiring someone like this are their experience, references, insurance, etc...
>
>
>I will give Stephen Haywood a good recommendation FWIW.
>
>
>
>On Thu, Mar 27, 2014 at 8:58 AM, Joseph Simoneau <joseph.simoneau at gmail.com> wrote:
>
>If it'll satisfy your requirements for professionalism, I can get in contact with the greyhat club at Georgia tech.
>>We're all students, mostly undergrads, but I'm sure we'd love to put a team together for travel (if necessary, not sure what scenarios you're looking at), possibly a pittance, and resume fodder.
>>Some of us definitely know what we're doing; some have interned or co-op'd; and graduates tend to get hired by firms like PWC and BishopFox. 
>>If you're interested, send me some information, and I'll ask for interest at the meeting tonight. 
>>-js
>>Our "network administrator" at the main office quit over a year ago and a replacement was never hired.
>>http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>>
>>Our "network administrator" at our "NOC" quit over a year ago and never got replaced.
>>www.linkedin.com/in/mlaman
>>
>>Our "phone system guy" quit a year ago, a replacement was hired, but I've seen him, like, once.  When the phone/fax systems goes down, they call ME.
>>http://www.linkedin.com/profile/view?id=49461976
>>
>>So guess what?  I and one of the other programmers on my team inherited all these extra support duties (without a single f'ing penny of a pay raise, mind you).
>>
>>We inherited hardware and software that hasn't been updated in years (insert career-damaging-but-painfully-true
 my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment here)
>>
>>We know basic firewall, iptables, am mindful of sql injection, can install/run/monitor virus scanners etc, but we are not security experts nor do we play one on t.v.    
>>
>>If this situation wasn't stressful enough, it has now come to a boil as a potential (big!) client "demands" proof of pen testing before they will let us host their data.    At this point I'm spread way to thin and told my boss today that he needs to crack open that wallet and hire an outside pen tester.    Anyone on the list "qualified" to do it?    Willing to work for peanuts?
>>
>>What defines a qualified pen tester?  I see what appears to be "free" software I could download and run myself, if I was inclined to take on more responsibility w/o pay.    I suppose this free software would be a "good start" but is a pen test done
 by an "internal" employee good enough for the client, I doubt it.
>>
>>
>>
>>
>>
>>
>>_______________________________________________
>>Chugalug mailing list
>>Chugalug at chugalug.org
>>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>>_______________________________________________
>>Chugalug mailing list
>>Chugalug at chugalug.org
>>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
>
>
>-- 
>
>Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
>_______________________________________________
>Chugalug mailing list
>Chugalug at chugalug.org
>http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


_______________________________________________
Chugalug mailing list
Chugalug at chugalug.org
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140327/7ca54e4e/attachment-0001.html>


More information about the Chugalug mailing list