Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recommendations for Third Party Security Audits?

Posted by Cliff on from the getting-your-money's-worth dept.

palehorse asks: "I am a developer/DBA/etc for a very large State Govt. Agency on the East Coast. We have been subjected to an increasing number of break-ins and website defacements over the past few months. My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us. Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us. and a plan on what to test for and how. I've done the whole Google search/ZD-Net search/etc, which has given me way to many folks who do this kind of stuff, from ISS and IBM on down. Consequently I wanted to get some feedback/suggestions from the Slashdot community on where to go from here."

"Please keep in mind that while we're a large government agency, we have a small and overworked IT staff who have no real experience in internet/web security, and who are just now getting into a serious web presence.

Here are the main questions that I have:

  • Who have you used, and were they any good?
  • What should we look for in evaluating who to contact and their proposals?
  • What would you have done differently?
  • What services should we ask for?
  • How do we manage the contract to make sure we're not getting a snow-job?
  • How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
  • How often should we re-do these audits?
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."

16 of 350 comments (clear)

  1. How about by WinDoze · · Score: 3, Funny

    Anderson!

    Worked for Enron.

  2. Microsoft of course! by DJ-Dodger · · Score: 1, Funny

    I hear Microsoft has a lot of recent experience with this! Why not give Bill a call?

    1. Re:Microsoft of course! by ackthpt · · Score: 2, Funny

      Uh... That's on the supply end of security concerns, isn't it? I don't think you want that.

      --

      A feeling of having made the same mistake before: Deja Foobar
  3. Re:Well... by feeander · · Score: 0, Funny

    IBM announced (internally) 1000 redundancies in North Region in EMEA yesterday. Hows that for getting fired for choosing IBM?

    --

    --
    Oh babe, I'm good for nothing - Nothing is good enough for me
  4. Audits on the Cheap by actappan · · Score: 5, Funny

    Walk down to your local highschool. Walk over to the kid with the purple hair and the /. tshirt.

    Tell him you'll give him or her a free laptop, and 5 cases of Code Red if they can break in and tell you how they did it.

    --
    \Drew National Data Director, John Edwards for President
  5. Hmmm by Delifisek · · Score: 4, Funny

    What about Mitnick...

    Oh but he can't access computers...

    --
    [My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
  6. Poot's Security Shack by poot_rootbeer · · Score: 2, Funny


    I recommend this great company I found out about, called "Poot's Security Shack".

    I... um, I mean, we... I MEAN THEY do a great job, and they cost less than all the big fancy companies with offices and business plans!

    Email them at poot@dork.com for more info. Sorry, no refunds.

  7. Netcraft by TheTomcat · · Score: 3, Funny

    I've never used it, but I noticed this service today, and Netcraft is a reputable company (unless they're hiding something (-: )

    http://www.netcraft.com/security/

    S

  8. How about... by YourFavoriteBandSux · · Score: 2, Funny

    ...those guys from 'Sneakers'? Man they were good. :)

    --


    ---
    Two rights don't make a wrong, but three rights make a left. -Me
  9. Simple by The+Turd+Report · · Score: 1, Funny
    1. Log in to #2600 from box at work
    2. Say: "I am 3l33t! Yuo sux0r!"
    3. Sit back and watch the 'audit'
    --
    Michael Loves Me!
  10. Definately KPMG. by br0ken+by+design · · Score: 2, Funny

    With a song like this you know they mean business.
    There's even a jungle remix! w00t!

    :wq
    (Personally, tho, I like IBM's "Ever Onward". Just has that
    "1930's cartoon with happy singing cows" feel to it.)

    --
    One ring to rule them all. The (_O_) in Goatse.cx
  11. Re:http://www.terradoncommunications.com/ by Anonymous Coward · · Score: 1, Funny

    Is Sharp going to like that?

  12. GRC! by dark_panda · · Score: 5, Funny

    Surely you've already contacted Gibson Research to help protect you against script kiddies, armed with the raw sockets in Windows XP, from taking over not only your servers, but the entire internet!

    www.grc.com

    J

  13. Re:Big-5 Accounting Firms by realdpk · · Score: 5, Funny

    I dunno, at least you can be sure that Arthur Anderson won't be leaving your passwords around on paper.

  14. Look at the bright side. by Futurepower(R) · · Score: 2, Funny


    Look at the bright side. If they don't do good security, you can have them walk your dog.

  15. Re:We've used ISS by Anonymous Coward · · Score: 1, Funny

    Surely the The Iron and Steel Society would have no problems reenforcing secure areas.