So a response to "How to Choose a Pen Tester"
Let me start with that I agree with the core of Steve's argument. Yes if I pay someone to come in and do "anything" on my network I want to be able to trust them not steal info, plant trojans, or air my dirty laundry out on the net when they are done.
I don't disagree with that.
A few comments not sure they are quite counterpoints
1. I personally don't see a big prevalence of pentest shops doing pentests and posting customer data on the net in any form. If there are examples show me. He mentions in 6 months he heard ONE story about someone that did that and didn't provide a link...ummm ok. Is it believable that it does happen/has happened/could happen?...yes. That every pentest shop is doing it (except his which is really the point of the post)... doubtful. Its not a smart business decision to 1) as a company do that or 2) allow your testers to do that on their personal blogs.
2. As David Hull mentioned, what is the problem with talking about a pentest as long as the customer cant be derived from the post/presentation/email or there isnt enough actionable information to conduct the attack? If companyX was vulnerable to SQLI 6 months ago and I went in and found it using some creative method and i decided to share that experience on my blog or at a conference what is the problem with that? The company isn't vulnerable any more and if I had to figure out some new method of doing "whatever" unless it was explicitly in the contract not to share "new pentest methods" aren't those mine to share as a I see fit? It helps the community when others talk about things they have seen on a pentest even if its just to make the other guy feel a tad bit better than someone else lives in jacked up network hell. Even though I always get alot more out of peoples posts about their pentests.
3. I realize that Steve proposes you do a scorecard but really....trustworthiness over competence? Why on earth would you ever even consider doing business with someone you didn't trust? I don't see how anyone with half a brain would put themselves in the position of...hmmm do I choose the trustworthy CEH or the untrustworthy l33t ass hacker....ummm NEITHER! You pick a company that hires intelligent, competent, trustworthy, and the rest of the stuff on his scorecard people. Is there really that many companies that are that piss poor that even make it past a scoping call? and more importantly do the decision makers for choosing the testers not have the ability to pick the good from the bad?
I should insert a shameless plug here but I don't think its necessary :-)