ClearNet Security: Is a tool list a competitive advantage?

Is a tool list a competitive advantage?

tate@ClearNetSec.com (Tate Hansen) — Mon, 09 Oct 2006 20:53:00 -0600

We use lots and lots of open source tools, commercial tools, and some home grown tools to do assessments. We have priorities, flowcharts to guide which tools work under which conditions and ways we like to organize and analyze results.

Is this knowledge IP (Intellectual Property)? What are the pros and cons of being fully transparent? Most, if not all, of the information is already out there -- it is just not neatly packaged.

I tend to want to be more transparent, but I’ve recently noticed several partners asking for explicit details on our processes. They want to see the tool list and learn the “details”.

None of what we do is secret, but at the same time I feel hesitant to divulge everything freely. What is your opinion?

"Is a tool list a competitive advantage?" by LonerVamp

Tue, 10 Oct 2006 15:38:32 -0600

I would say that providing a tool list is one thing, but performing the training to train in-house IT staff to use the tools and replace you as their consultant is another thing.

Some companies do want to eventually have their own staff doing internal audits, either as a replacement to spending money on you or to augment your checks with their own. In that case, whether you cooperate or not, they will do it. It would be best to share information and tools in such a case.

Honestly, sometimes a company does not understand all that goes into an audit or pen-test and may think that running an automated Nessus scan every month is going to be sufficient. At least this way they can see the just having the tools is one thing, but knowing how to wield them with intelligence, experience, and a surgical touch is a wholly different (and usually expensive in manhours) area for a company to get into.

Overall, I think it would be beneficial to divulge the most common tools and checks that you use. This might be part of the value you add for them. For anything more specific like your own expertise or recommendations or how to use the tools properly may end up being something you charge to sit down with their staff and go over a bit, or just leave it up to informal chatting as opposed to anything written down.

I will mention that I do not do pen-testing or assessments for anyone other than the company I work for and on my own…at least not yet, anyway. :)

"Is a tool list a competitive advantage?" by Søren Maigaard

Tue, 10 Oct 2006 01:27:26 -0600

In my experience, large corporations never reveal this kind of information to customers. Even check lists are considered IP that should not leave our hands.

This seems a somewhat strange approach to me. It sort of says that the lists, flowcharts, check lists etc. is pretty much all we have, and if you have it, then why would you ever hire us… On the other hand, as you describe, some work does go into this material even if you could find it elsewhere.

I therefore lean towards an approach where this information should be shared between peers so we can all learn from each other (if in doubt of the intentions of someone, sign a simple NDA. Escpecially if you are sharing this with a direct competitor). However, I don’t think I would share it with customers because they might not understand that this is not an important competitive factor and that they should not use a tool list to compare two different offers for a service.

Tool lists can, as Michael Boman described, be a good read for another security professional because we might discover a new tool or a good way to use an existing tool. It might even build a good reputation like when Tate describes how to make the best use of nMap in large scans. You know that here is a guy that knows what he is doing and really tries to get the most out of a good tool. We understand that, but if you simply show a list of tools, the customer might see nMap and compare it to a competitor that uses nine different port scanning tools and figure that’s probably better. I’d much rather have Tate just run nMap than the next guy run every single downloadable scan tool on the planet. I am just not sure the customer knows that and so I would hesitate to make lists and charts a part of my selling points…

"Is a tool list a competitive advantage?" by Michael Boman

Mon, 09 Oct 2006 23:16:20 -0600

In my opinion having a very large list of tools is not very descriptive at all because depending on circumstances you may or may not use the tools listed and you might have found or developed a new tool since you responded to the RFP so you have to make sure your wordings in the RFP response does not in any way limit you in what tools you use.

Personally I find it somewhat entertaining to read those lists, as it can contain tools that you are not yet aware of or just give a good laugh if the list is out of date (tip: never put version numbers in the tool list - it gets out of date extreamly fast that way).

I also getting the impression that if it contains too many tools one can start to wonder if the consultant actually know what he/she is doing except running the tools…

Just my $0.02