TT: Do companies usually just use one firm for pen-tests, or do they have two companies do them to make sure they're getting good info?
Amit: We saw a bit of alternate type testing in the past but much less so nowadays. As mentioned, there are so few organisations that can do this well. When a company finds better testers, they generally stick with them. To be honest, the choices are small. I would say in Australia, there is probably only a handful of companies that do this work really well.
There's very few good people out there at present so organisations need to be careful when choosing the company to do this testing. But that can be difficult -- how does someone who doesn't really understand that space know the difference between what company A and company B are presenting to them? We see this all the time.
Brian: A company with the security budget and due diligence will hire two companies, or alternate between two when they need work done. Unfortunately, most companies aren't slating enough money to do that, and end up going with just one consulting shop to do the security work.
Adam: Most of the larger organisations seek penetration tests from multiple assessors, switching on a per-project, and even on per-component basis, allowing them to see the best picture of their true weaknesses.
We have seen circumstances where organisations take up assessments from multiple pen-testing companies on the same project -- which often yields surprising results. One tester would get in through the key left in the front door but the other would give up finding the address.