How Microsoft builds an attack and penetration testing team.

Some good points in that paper, including:

• Less cost over the long term.
• The hardest part of starting an Attack and Penetration Testing program is finding the first person.
• It is important to find people who not only have the technical skills to find vulnerabilities and the personality that drives them to try to break systems, but also good interpersonal and team skills.
• Three people are the recommended minimum Attack and Penetration Testing team, one with each of these specialties (Host, Network, Application).
• There is a spirit of competition on the team that drives each team member to be the first to find the vulnerability in a new target being tested. Different people on the team take the lead on different projects on a rotating basis, to balance growth opportunities across the team.
• One prime motivation of all of the testers on the team is the pursuit of knowledge and understanding.
• As team members become more senior, a greater portion of their time is devoted to research and managing or mentoring other team members.

Wow…this is so right-on.