From: Tom Van de Wiele (tom.vandewiele@gmail.com)
Date: Wed Jul 13 2005 - 03:22:23 EDT
I find the concept of giving someone a certificate for resisting a
penetration test very dangerous. Nothing can guarantee that after the
test (especially a blind penetration test) all vulnerabilities have
been found and identified. What value does your certificate have if
another company comes by and finds one more hole? Then you issued a
certificate that will only endanger the name and reputation of your
company. What is the value then? Because of this, big companies
will always have different partners when it comes to the security
testing of their infrastructure.
my 2 cents
Tom
--
Tom Van de Wiele, CISSP
Security Engineer
UNISKILL nv
http://www.uniskill.com
tom.van.de.wiele {A} uniskill.com
On 7/12/05, blowfish 448 <blowfish448@hotmail.com> wrote:
> Hi,
>
> any of you know if any 'standards' or accepted guidelines exist for a letter
> or certification
> of succesfull resistance to Penetration Testing/Vulnerability Assessment.
> Customers often
> demand to have a proof delivered by their Penetration Test service provider
> to show to their
> partners and customers.
>
> The idea of course is not to disclose sensitive information but to briefly
> describe
> the environment tested and how - according to which methodologies and the
> attack vectors
> tested for.
>
>
> Thanks in advance
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT