Wasting money on Penetration Testing / Security Park, 14 February 2007
http://www.securitypark.co.uk/article.asp?articleid=26469&CategoryID=1
"Penetration Testing is the final word in proving that technical compliance and good
security practices are in place - or so it should be. But how do you know if you’re getting a good service or not?
• What if the consultant performing the test is inexperienced
• What is the impact on quality if the consultant is overworked
• What if the consultant is an expert ‘hacker’, but terrible at report writing
The trouble with asking questions like these is that there’s no tick box to check when choosing your supplier. An easier method is to ask if someone has CHECK or PCI accreditation. However, neither of these is a guarantee of quality."