Slashdot Mirror

← Back to Stories (view on slashdot.org)

Who Can You Trust to Test Your Network Security?

Posted by Cliff on from the white-hat-hackers dept.

sjuels asks: "I am working in a US based company, where we have installed a commercial firewall solution, and now I would like to know how secure we are. I know that a system like ours is never going to be 100% safe from attacks, but I would like to know how vulnerable we are, and I do not trust the company that installed the firewall solution to find the holes in their own product, and the guys that can really do some damage to a system like ours are not exactly in the phone book. How do other people get around this? I cannot believe that it is not a consideration for everyone who tries to secure a network." Anyone out there have recommendations for Security Consultants? Which ones are worth the money that you will spend and which ones should you stay far away from?

3 of 8 comments (clear)

  1. a few suggestions by emag · · Score: 2

    Well, for personal stuff, I usually hit places like secure-me.

    I'm currently in a "network security" grad class (someday I'll take a class where I don't know what's going on), and the instructor, who works for Ernst & Young, seems to really know his stuff...

    Of course, there's no reason to take my word for it, even though I don't work for them and my grade in the class is already more or less a lock regardless of what I do.

    --

    --
    "The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
  2. My own horn by Knight · · Score: 2

    This will come off as a bit biased (which it is), but I work for a company that has written some software called Hailstorm that's very good at helping you test your own security. It's especially good in situations where you have written something custom, whether it be a CGI script or some sort of server program. It succeeds where security scanners fail, because it can help you find problems that are previously unknown. To see it in action analyzing IDS systems, check out the article at SecurityFocus. Good security consulting firms are VERY expenseive, so Hailstorm may be a good choice depending on what you are really looking for.

    If you want to hire a security firm, I would suggest a few different companies: Securify, a division of Kroll-O'Gara; Guardent; Ernst & Young; @Stake; and Foundstone.

    Also, if you are interested in trying out Hailstorm (which, for the time being, only runs on NT 4.0/W2K, although it can test applications on any OS), shoot me an email (removing the obvious part), and I'll help you out. A trial version can be downloaded at www.ClickToSecure.com.

  3. Security Consultants by dodobh · · Score: 2

    Well, the good folks over at www.securityfocus.com have compiled a list of Penetration testing companies. You could go look them up (or search in the pen-test mailing list archives at security focus)

    --
    I can throw myself at the ground, and miss.