Re: WebServices Testing

From: mailing lists (bofn@irq.org)
Date: Thu Oct 05 2006 - 18:24:00 EDT

• Next message: janheisterkamp@web.de: "auditing of chinese pwds"
• Previous message: Colin Copley: "Re: Vulnerability Test Report Template"
• In reply to: dallas jordan: "WebServices Testing"
• Next in thread: Paul Melson: "RE: WebServices Testing"
• Reply: Paul Melson: "RE: WebServices Testing"
• Reply: Jamie Riden: "Re: WebServices Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> On Thu, 5 Oct 2006 14:56:25 -0400
>"dallas jordan" wrote
> I am tasked with doing some security testing on a new web services
> application our client is rolling out. I have never really tested a
> web service app before

So...
they pay you to do something you know hardly anything about?

and instead of getting someone who does know how to, you prefer to fumble a bit.
doesnt seem to take much to get those 'GCIH, CISSP' certificates.

sorry about the flame..
But,,, this is why the infosec bizz has become cowboy territory rather then a serious
profession.
and it ticks me off a bit, knowing that those who have put in the effort of learning how
it all really functions inside, are getting a bad name from the "just sell it first, and
then figure out later how to do it" types.

the times that we have looked at companies after they where certified secure, by cowboy
companies, and found endless amounts of flaws and serious holes, seems unreal, but is
fact.

but then again, as mentioned before, most companies do not want to hear how bad it
really is, and rather pay a little extra to get a 'filtered' report that they can proudly
show at their board meetings, and then pray to Loki that no one will find out about the
actual state of their infrastructure.

to sum this up, i think that the cowboys are responsible for the very low standard of
infosec awareness on this planet, and they profit from keeping it so.

and again, the joe and betty in the street are the victim, because their privacy
sensitive info and often their savings are compromised at some point, as we keep reading
in the media.
and those reports never say if that company or organisation was certified by any of the
so called security companies.

maybe its time that each security certification selling company keeps a public list on
their website with all the names they sold them to.
so we all can see what the certification is really worth, but more to encourage those
companies to stop selling hot air.

Cheers, big ears.
*Anna.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: janheisterkamp@web.de: "auditing of chinese pwds"
• Previous message: Colin Copley: "Re: Vulnerability Test Report Template"
• In reply to: dallas jordan: "WebServices Testing"
• Next in thread: Paul Melson: "RE: WebServices Testing"
• Reply: Paul Melson: "RE: WebServices Testing"
• Reply: Jamie Riden: "Re: WebServices Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:07 EDT