From: blowfish 448 (blowfish448@hotmail.com)
Date: Wed Jul 13 2005 - 04:29:18 EDT
Tom, Ralph,
thanks for the input, and I totally agree. Should have been paying more
attention
to the wording I used. It's not so much providing a certificate of success,
here I
agree with your arguments, but rather an objective statement of penetration
testing
has been executed at a certain period in time on infrastructure X at
customer Y by
company Z. This so they can show to their customer base they take security
serious
and have undergone testing.
>From my experience in the financial market customers and partners - e.g.
other banks -
of financial organisations asking for such proof is absolutely not so
uncommon.
Thanks
>On 7/12/05, blowfish 448 <blowfish448@hotmail.com> wrote:
> > Hi,
> >
> > any of you know if any 'standards' or accepted guidelines exist for a
>letter
> > or certification
> > of succesfull resistance to Penetration Testing/Vulnerability
>Assessment.
> > Customers often
> > demand to have a proof delivered by their Penetration Test service
>provider
> > to show to their
> > partners and customers.
> >
> > The idea of course is not to disclose sensitive information but to
>briefly
> > describe
> > the environment tested and how - according to which methodologies and
>the
> > attack vectors
> > tested for.
> >
> >
> > Thanks in advance
> >
> >
> >
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT