From: Erik Pace Birkholz (ERIK@specialopssecurity.com)
Date: Tue Dec 14 2004 - 21:32:40 EST
Adriel and List,
Here is my .02 regarding a potential customer's perception of our industry's ambiguos naming conventions. Let's face it, a name is just a name. The spirit of the project is the heart of the matter.
A “client” should never be confused since that implies to me the project has been sold or agreed to. However, a “potential customer” will almost always be confused by the names we choose for various services until you spend the time to explain the services in terms of their problems and needs.
The responsibility lies on the sales person and sales process. If they are already a client and the project manager is left to determine scope and deliverables you are asking for trouble.
The ideal people, process and technology for each engagement should be determined based on the needs of the potential customer. This includes the use of automated tools. Things like budget, network size and stimulus for the project pop into my mind. There are more.
At Foundstone and at Special Ops Security, our sales teams exercise great care to be sure the potential customers needs are met by the selected engagement and that their expectations are clearly set regarding the project's process & procedure, project team and deliverables.
Hope that helps,
Erik
----
erik pace birkholz
president, Special Ops Security, Inc.
888-R-U-OWNED
-----Original Message-----
From: "Adriel T. Desautels" <atd@secnetops.com>
Date: Tue, 14 Dec 2004 11:19:45
To:<pen-test@securityfocus.com>
Subject: Penetration Testing Methodologies
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings List,
I am interested in collecting ideas as to what people feel an ideal
penetration test is. What does the ideal methodology look like and
what are the goals? I am asking you this because I have been running
into interesting issues in certain markets. It would appear that some
people view penetration tests as nothing more then basic network
vulnerability audits while others view a penetration test for what it
is, a test designed to compromise target systems as PoC of
vulnerability.
How do people feel about the use of automated tools and the weights
of their results? What about manual or custom testing? We have our
own methodology that we use for testing our client networks, but I am
always interested in learning what else might be done. I'd be happy
to engage anyone in a conversation about this subject.
Regards,
Adriel T. Desautels
Secure Network Operations, Inc.
-----------------------------------------
Office: 978-263-3829 Cell: 978-697-2946
http://www.secnetops.com
CAUTION: The information contained in this mail message is
confidential and may be legally privileged. No confidentiality or
privilege is waived or lost by any mistransmission. If the reader of
this message is not the intended recipient, you are hereby notified
that any use, dissemination, or reproduction of this message is
prohibited. If you have received this message in error please notify
the sender immediately by email and destroy the original message.
Thank you
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com
iQA/AwUBQb8SQ7R5YB3MHZrzEQIs4QCgh/nnbznNp7MgI8lBTWQfCr+xlTkAn1yk
ZZu2wdM22W3VbqMr2HF2obEx
=DQTm
-----END PGP SIGNATURE-----
____________________[via Blackberry]____________________
Erik Pace Birkholz
Special Ops Security
888-R-U-OWNED x187
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT