From: puppe@hisolutions.com
Date: Wed Mar 05 2008 - 03:34:11 EST
Salve,
> -----Ursprüngliche Nachricht-----
> Von: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] Im
> Auftrag von Andre Gironda
> Gesendet: Dienstag, 4. März 2008 22:05
> An: pen-test
> Cc: Trygve Aasheim
> Betreff: Re: Pentesting tool - Commercial
>
> On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve@pogostick.net>
> wrote:
> > This might be a bit hard for you to understand, I see that, but just
<snip>
>
> The deliverable shouldn't be awareness - it should be workable
> solutions. Most of the time - these aren't technical at all.
> Strategy consulting is a good start to any project of this nature, and
> while the cost might be the same as a two-week assessment, it only
> takes up 1-2 days of a client's time, which really equates to much
> better savings for the client because a two-week assessment is a large
> investment for them.
>
> I would hit a few key areas:
> 1) Software acquisition. How does the client acquire new software?
> Does it come with hardware out-of-the-box (e.g. installed on a
> router)?
> 2) Software update. How does the client upgrade/update their software?
> 3) Software configuration. How does the client configure their
> software? How do they handle changes?
> 4) Software development. Does the client write their own software?
> What processes do they use?
>
> I'm fairly impressed with the BITS Shared Assessments Program
> Standardized Information Gathering questionnaire as a starting point,
> which is also available in a SIG-Lite version. Note that you don't
> have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
> or PCI-DSS.
I totally agree with you on this. A penetration test is good as a last touch to it-security, but in a not very security aware company, the real problems show up in a one hour interview more easily. Many customers buy the pentest, because they are afraid to talk about their organizational difficulties like patch-, user-, password-, service-management. That's where the exploits the hacker will find hail from and that's where they need to be fixed. Like when you pentest a company, deliver the report and while being treated to a tour of the premises, see that the server room has normal windows at level with the ground ...
We usually do an assessment based on http://www.bsi.de/english/gshb/index.htm , they have the only standard that covers physical, logical, organization security and it is very thorough, down to earth and with loads of detailed security measures to compare against.
-- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________ Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB: Sitz der Gesellschaft / registered office: Berlin Handelsregistereintrag / Commercial register: Amtsgericht Berlin Charlottenburg - HRB 80155 Vorstand / Management Board: Torsten Heinrich, Timo Kob, Michael Langhoff Vorsitzender des Aufsichtsrates / Chairman of the supervisory board: Prof. Dr. Klaus Müller ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT