From: Joey Peloquin (joeyp@cotse.net)
Date: Tue Aug 29 2006 - 16:11:55 EDT
StyleWar wrote:
> lol
>
> With respect, I think that's a greater commentary on your contracting
> methods than it is on what's available. The Pen-Tests I have run include
Yeah, well, I work for a fortune 50 company, and it's just come to my
attention that my boss doesn't give a crap about whether our pen-testers
"get in". He just doesn't want any work to do (read: audit items). He
said, and I quote, "Your standards are too high, and you probably wouldn't
be happy with any pen-tester we brought in."
And yeah, I'm thinking what you're thinking..my CV is getting updated now.
> everything from physical, to logical, to social/administrative. The
> customer has had to opt out on specific methods and attack trees as part of
> the preengagement process.
>
> -
>
> StyleWar
Sounds great..exactly what we go through. Also sounds like you're not the
cookie-cutter (Qualys/Nessus, Nikto, NMAP anyone) type contractor that
Fortune 50 customers get stuck with.
That said, we *did* have one good pen-test. ~2 years ago we paid ISS 40K;
they had a trophy from an obscure, forgotten webapp within two days. I've
also gotten a shitty pen-test from ISS, so YMMV.
-jp
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:52 EDT