[idiotsecant]

Always curious about this - I work in infrastructure that would be a major public safety issue if it was compromised, and our security seems equal parts useless and overly focused on things that don't matter. We did some pentesting at one point and when it was demonstrated that security was demonstrably trivial to breach rather than getting to work fixing things it was hushed up internally and nobody important ever saw it.

Do your customers actually pay you to break security and then act on what is found? Or are most of them paying you to demonstrate that their security is perfect and then quietly burying results if they don't go that way?

[ganoushoreilly]

It's a good question and it's one that can go either way depending on the pentesting company. In my first Security Startup I founded, we took most contracts large and small with only standard questioning. We found that while sometimes we made less upfront, the clients that were more in sync with solving a known or suspected problem and were using the pentest as part of moving forward.

There are tons of companies looking for simple check boxes, or affirmations. Tons that don't acknowledge their issues. I can say first hand that I had a project I was involved with that identified a substantial breach at a company under acquisition for an obscene amount of money. Most M&A seem to skip technical diligence beyond code review. Long story short there were actually three separate issues / actors within the network. They even had one authorized access by a competitor that a salesman had naively setup under the guise of a collaboration. They paid for the onsite investigation then realized that it was going to create a PR nightmare based on our findings. It would have been a huge exposure that would counter the obscene amount of marketing they were doing for the tech acquired. Their response was to not only ignore us (i'm assuming they eventually fixed things) but refuse to pay for the investigation performed and basically said.. we're a billion dollar company what are you going to do, sue us? We got stiffed with probably a quarter mill in work because they were right. Worst part is we called them to let them know originally because we found EXTREMELY sensitive source code and documentations of a crypto nature. Incidentally we saw some 0-days later on that leveraged undocumented functions that were curiously documented in our findings.

So yeah.. you see it all. That's why I love working with startups, make less, but they're appreciative and long term relationships are more worth it for us.