RE: WebServices Testing

From: Paul Melson (pmelson@gmail.com)
Date: Fri Oct 06 2006 - 10:27:58 EDT

• Next message: Volker Tanger: "Is SNews / NNTPS in use?"
• Previous message: Arian J. Evans: "RE: Informing Companies about security vulnerabilities..."
• In reply to: mailing lists: "Re: WebServices Testing"
• Next in thread: Jamie Riden: "Re: WebServices Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----Original Message-----
Subject: Re: WebServices Testing

> So...
> they pay you to do something you know hardly anything about?

I doubt the letter of intent puts it *that* way. :-)

> but then again, as mentioned before, most companies do not want to hear
how bad it really is, and
> rather pay a little extra to get a 'filtered' report that they can proudly
show at their board meetings,
> and then pray to Loki that no one will find out about the actual state of
their infrastructure.

You're half right. I'm sure his client wants a report that says that their
network, their applications, their financials, and their manhoods are all
secure. But I doubt they're hoping nobody finds out the ugly truth about
their infrastructure because I would wager a guess that they have no idea,
either.

> to sum this up, i think that the cowboys are responsible for the very low
standard of infosec awareness
> on this planet, and they profit from keeping it so.

I disagree. Customers that demand cheap, "teach-to-the-test" audits are
what make so-called cowboy project work possible.

In this case, I think it's unfair to impeach Dallas' skills or ethics.
Everybody has to learn some time, and let's not pretend that we've all been
auditing web services since day one. I'll be the first to say it's not
something I've ever done. At least he knows what he doesn't know and is
asking for help now. Believe me when I tell you there are plenty of
consultants that would've just pointed Nessus at it and given them a clean
report or told them that they need to block ICMP timestamp requests.

I do, however, think it's crappy that his employer has put Dallas and their
client in a position to succeed poorly or fail well. If the client does
their homework and brings all of their resources to the table to assist in
the audit and remediation process, poor Dallas will be found out as having
no experience in this arena. If they don't the audit may go off without
incident, but the value and depth may be lacking also.

But at least the important objective - the account manager making 7%
commission on a five-figure audit engagement - will be achieved. Not that
I'm jaded or anything.

> and again, the joe and betty in the street are the victim, because their
privacy sensitive info and
> often their savings are compromised at some point, as we keep reading in
the media.

The botherders were going to do it anyway. At least now there will be a
class action lawsuit that they can get in on. :-)

PaulM

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Volker Tanger: "Is SNews / NNTPS in use?"
• Previous message: Arian J. Evans: "RE: Informing Companies about security vulnerabilities..."
• In reply to: mailing lists: "Re: WebServices Testing"
• Next in thread: Jamie Riden: "Re: WebServices Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT