More information about the Underscore mailing list

[_] Pen-testing

Wilkes, Matthew matt at matthewwilkes.name
Fri Aug 5 10:40:20 BST 2016

I've done that kind of thing for a few clients. We generally sell it as
security-focussed code review, rather than pentesting. It certainly has its
place, and I'd argue that you get better value for money than you would
getting an automated test from someone like NCC, but most pentesting is a
liability shift exercise. Code review won't help with that.

Matt

On Fri, Aug 5, 2016 at 10:00 AM, Craig Francis <craig at craigfrancis.co.uk>
wrote:

> Out of interest, has anyone had a test which involved the testers looking
> at the source code?
>
> It seems that all my testers just used an automated tool, with one
> exception who did a quick manual check as well (as in, they opened Chrome
> Dev Tools to double check the CSRF validation).
>
> Craig
>
>
>
>
>
> > On 5 Aug 2016, at 09:09, Alex Martin <alex at wearehalo.co.uk> wrote:
> >
> > Thanks Peter, will give them a shout.
> >
> > Alex
> >
> >
> >
> >>
> >>> Can anyone recommend companies to carry out independent pen-testing on
> our sites/environments? Usually fairly standard LAMP stuff (lots of
> Drupal). Have successfully used Nettitude in the past, but would be good to
> know some other providers.
> >>
> >> Think this lot were used by our clients to check over some e-commerce
> sites we'd done: https://www.nccgroup.trust/uk/
> >>
> >>
> >> Peter Marshall
> >>
> >
> > --
> > underscore_ list info/archive -> http://www.under-score.org.uk/
> mailman/listinfo/underscore
>
> --
> underscore_ list info/archive -> http://www.under-score.org.uk/
> mailman/listinfo/underscore
>