Slashdot Mirror


Recommendations for Third Party Security Audits?

palehorse asks: "I am a developer/DBA/etc for a very large State Govt. Agency on the East Coast. We have been subjected to an increasing number of break-ins and website defacements over the past few months. My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us. Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us. and a plan on what to test for and how. I've done the whole Google search/ZD-Net search/etc, which has given me way to many folks who do this kind of stuff, from ISS and IBM on down. Consequently I wanted to get some feedback/suggestions from the Slashdot community on where to go from here."

"Please keep in mind that while we're a large government agency, we have a small and overworked IT staff who have no real experience in internet/web security, and who are just now getting into a serious web presence.

Here are the main questions that I have:

  • Who have you used, and were they any good?
  • What should we look for in evaluating who to contact and their proposals?
  • What would you have done differently?
  • What services should we ask for?
  • How do we manage the contract to make sure we're not getting a snow-job?
  • How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
  • How often should we re-do these audits?
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."

3 of 350 comments (clear)

  1. Audits on the Cheap by actappan · · Score: 5, Funny

    Walk down to your local highschool. Walk over to the kid with the purple hair and the /. tshirt.

    Tell him you'll give him or her a free laptop, and 5 cases of Code Red if they can break in and tell you how they did it.

    --
    \Drew National Data Director, John Edwards for President
  2. GRC! by dark_panda · · Score: 5, Funny

    Surely you've already contacted Gibson Research to help protect you against script kiddies, armed with the raw sockets in Windows XP, from taking over not only your servers, but the entire internet!

    www.grc.com

    J

  3. Re:Big-5 Accounting Firms by realdpk · · Score: 5, Funny

    I dunno, at least you can be sure that Arthur Anderson won't be leaving your passwords around on paper.