Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recommendations for Third Party Security Audits?

Posted by Cliff on from the getting-your-money's-worth dept.

palehorse asks: "I am a developer/DBA/etc for a very large State Govt. Agency on the East Coast. We have been subjected to an increasing number of break-ins and website defacements over the past few months. My boss has recently been tasked by our CIO to find a reputable third party (not us or our ISP) to come in and do a complete and independent security assessment/vulnerability analysis for us. Since I'm the guy who usually bugs folks about security, she tasked me to come up w/ a list of firms who could do this for us. and a plan on what to test for and how. I've done the whole Google search/ZD-Net search/etc, which has given me way to many folks who do this kind of stuff, from ISS and IBM on down. Consequently I wanted to get some feedback/suggestions from the Slashdot community on where to go from here."

"Please keep in mind that while we're a large government agency, we have a small and overworked IT staff who have no real experience in internet/web security, and who are just now getting into a serious web presence.

Here are the main questions that I have:

  • Who have you used, and were they any good?
  • What should we look for in evaluating who to contact and their proposals?
  • What would you have done differently?
  • What services should we ask for?
  • How do we manage the contract to make sure we're not getting a snow-job?
  • How do we use the result to get buy-in from management (who will probably need to lay out money for changes) and from the developers (who may be adamantly opposed to changing their systems, either for ego reasons or it's just a lot of work)?
  • How often should we re-do these audits?
Again, I know there's a lot out there by the security firms themselves about this, but I'm really looking for a 'keyboarder-in-the-trenches' view as well. Horror stories are appreciated, since they may give us an idea what to watch out for."

7 of 350 comments (clear)

  1. Well... by istartedi · · Score: 2, Offtopic

    and IBM on down

    They say nobody ever got fired for choosing IBM. Of course, I find that hard to believe. Surely somebody must have chosen IBM technology when it wasn't appropriate, and gotten fired. Anybody have a story?

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  2. large state government on the East Coast by tps12 · · Score: 1, Offtopic
    First guess...New York?

    You mentioned IBM...want to keep the business in-state?

    Bet it's NY...

    --

    Karma: Good (despite my invention of the Karma: sig)
  3. Re:save yourself money. by raindog151 · · Score: 0, Offtopic

    jesus, for 25$ i'll dress up like natalie portman while i remove the stinking hot creamy grits from your loin-shorts.

    --
    your jesus is another mans xebu. chew on that hypocrites.
  4. Re:Poot's Security Shack by foobar104 · · Score: 1, Offtopic

    Man, I'm jealous. I post pretty regularly, and nobody's ever offered to show me their "recturm."

  5. Re:Hmmm by Ooblek · · Score: 1, Offtopic

    No, they should call Microsoft. At least Microsoft will be honest about taking a lot of your money and not getting anything done.

  6. Re:Is it really what you need? by 1155 · · Score: 0, Offtopic

    I am currently for hire. I work in security, and would be able to do business with your company. Problem solved.

  7. Shameless Plug by moonboy · · Score: 1, Offtopic



    Technica Corporation

    We're located in VA right outside of D.C.

    --

    Co-founder and designer at Music Nearby: http://musicnearby.com