When Choosing a Service Provider
The security industry today offers varying standards in assessments, code reviews, and penetration testing. Immunity encourages its clients to closely examine the experience and skill-set of any vendor being considered for an engagement.
Most highly skilled information security professionals or organizations will have independent information confirming consultant capabilities available online. This information could be published research, presentations, the results of participation in industry conferences and forums, or a role in education services or other industry events. An effective security consultant will be able to communicate their knowledge and area of expertise when describing the assessment process, how the tools and technologies used in the assessment work, and what the consultant brings to the table on top of the automated scanning alternatives available elsewhere.
This is particularly relevant when considering vulnerability scanning as part of a security solution. Vulnerability scanning with an automated commercial tool is sometimes the primary (or even sole) approach used by service providers to measure an application or network's exposure. This approach is ineffective because of the technology's dependence on signatures and a limitation to only well-known or publicized vulnerabilities. Vulnerability scanners do not verify the existence of vulnerabilities and are prone to large amounts of false positive and false negative reporting. Vulnerability scanners are a useful tool alongside a larger knowledge-base of attack techniques, however they should not be relied upon to provide a complete picture of exposure.
Similarly, services that specialize in compliance with industry regulations do not provide an accurate measurement of exposure to attack from skilled adversaries.
When a client's objective is ensuring that sensitive data and systems are protected, Immunity recommends that vulnerability scanning, compliance-related testing, and information security industry qualifications be considered helpful for establishing a minimum baseline, but not be depended upon to gain an accurate measurement of exposure.
