This is the world's worst writeup of the world's worst penetration test report.<p>First, this article is on some linkbait site and it gets posted to HN.<p>Second, the author complains that these kinds of outfits haven't been "weeded out" of the industry. Anyone with half a mind in the security industry knows that it is filled with charlatans and snake oil. That the author finds this surprising seems to indicate they're a bit green. Nobody's been weeded out from existence. Thus, a little caution and common sense is required.<p>I suspect the author's associate probably did a Google search for "pentester" and stumbled upon this outfit. Or worse, he read the stunning Google reviews for this outfit.<p>Also, as a US company, don't use an Indian company for a task so sensitive, and where it's vital that language be precise. Maybe that's politically-incorrect, but its the truth. If you're an Indian company, by all means ignore this advice.
> Microsoft IIS susceptible to CVE-XXXXXXXX. Recommend applying accordingly patch.<p>> Another almost good finding - but according to the appendix, this host is a RHEL 5.x box. Those sysadmins - finding ways to run IIS on linux!! Brilliant!<p>I used to see crap like this all the time coming out of PCI compliance audits. The hosts I dealt with ran Apache on RHEL, too. We'd point this out, and they'd "accept" that "fix."
Sadly, relative to what I've seen, the examples here really aren't that bad. There are plenty of outfits based right here in the US who will happily sell you the output of a default scan from an outdated version of Nessus.<p>Also, you've not seen cut-n-paste, search-and-replace garbage until you've had to sift through the mountain of responses to a public sector RFP.<p>My best theory is that there are a large number of companies which simply shotgun shoveled together lowball responses to every posting. The lowball number virtually guarantees consideration and people who either don't really understand what they're procuring or don't actually read the responses let the stuff slip through.<p>I always made a point of requesting that the companies which submitted crap like that be banned from future solicitations - it never worked.
If this is a baseline for "very bad" penetration testing, it makes me think I could start up an "almost competent" low-end penetration-testing business just by blindly following a checklist found on the internet, as long as I used a checklist for the right operating system and proof-read the final report.
"Their chief pen testing monkey couldn't get into the USA for whatever reason, so he managed the test from India."<p>Well, there you go.
I'm a developer and we outsource some of our projects (we used to anyway) - I've got to tell ya - I've seen worse. Oh, the horrors ... the mess. I remember once when the "consultants" deployed for the first time on our staging env we somehow ended up with 15 databases some containing credit card info and all kinds of transactions (I guess from previous clients), the reason I know is because I had to examine this madness. As far as I could tell their software was dependent on most of the DBs. By the way the software was a recruitment web app, nothing to do with payments what so ever.
Just as a note to startups here considering "penetration tests":<p>"Penetration test" is a term that means wildly different things depending on who you talk to.<p>The kind of test discussed in this post is the most common kind. People in the field call them "network penetration tests". These are the projects where someone runs nmap and Nessus and Metasploit against your network, dumps the Nessus results into a Word document, and calls it a day.<p>I'm not wild about these kinds of projects, and even less wild about the firms that specialize in them. They may find things on your network that you need to know. But they generally involve people just running some tools and interpreting the results, and then, if they find something blatant, spending the balance of their time using that finding to pry their way into the rest of your network.<p>The latter part of the project --- the part where they get to your database, dump your hashes, pivot from machine to machine, &c --- is not a great use of your security dollars. It's generally always going to be the case that if someone finds a way to run code (or SQL) on one of your servers, you're done for. The important finding is the flaw that gets attackers into your network. The findings that come after that look scary, but since there's not a whole lot you're going to be able to do to reliably lock down your internal servers, they aren't very useful to you; the next team that finds some other way onto your servers will embarrass you just as badly even after you "fix" the internal flaws from the first team.<p>You can get a license to run Nessus pretty cheaply. You can download nmap and Metasploit yourself. If you can build a product, you're more than qualified to run them yourself. If you don't have the bandwidth to do that, don't pay too much to have someone else do it. Also, demand that the team that does the netpen breaks out the findings that actually get them into your network, versus the less valuable findings like "older version of OpenSSL detected that we don't actually know how to exploit" or "customer records recovered after we took control of your database", and make sure the team concentrates on finding new ways into your network, rather than on extending their access into your network once they do find a way.<p>You'll need to ride netpen people not to waste time extending access, because the Fortune 500 companies that are the bread-and-butter clients for network penetration testers actually do want people to spend time extending access and finding "shock and awe" internal findings --- they're doing these tests for a different reason (to justify security budget), not for the reason you're doing them (to make sure it isn't easy to break into your servers).
Eh, we get pen-testers regularly telling us that we have to turn off HTTP and HTTPS (we had one who helpfully suggested serving the site over a VPN) in order to be secure.<p>This was on retail eCommerce websites.
All you need is to check references & testimonials of a company you want to hire. Why pay for some random crap from no-name "craporation"?