Hit and run pentesters -- the cycle repeats

I just read an excellent post by Mark Curphey on "The types of testing," part 2 in his 5 part series on "The Art of Scoping Application Security Reviews." Dre responded with some good commentary almost as long as the original post. One quote towards the end got to me:

It ceases to amaze me that people want to do review after review, quarter after quarter, year over year - for the same clients. Why allow these [helpless?] organizations to continue to make the same mistakes? In your first part of this series, you mentioned the business aspect about submitting defects into an issue tracking system instead of providing a report that is likely to sit on a desk and collect dust. I say go even further!

If your company contracts out, over and over again to the same vendor for security reviews, and each report comes back looking almost exactly the same with a different date or site, you need help! Have a couple lead developers and security guys sit down with the testing team and go over some methodologies and standards for reducing those flaws. If a vendor is really worth their salt, they will want to help you. This is a win-win situation, because your developers won't put out so many of the same flaws, and two, the vendor will be able to concentrate more on less common/perhaps more critical vulnerabilities.

Posted by Marcin on Tuesday, September 4, 2007 in Security.