From: Tom Van de Wiele (tom.vandewiele@gmail.com)
Date: Wed Jul 13 2005 - 15:56:59 EDT
Usually, a detailled report is created in two version by the company
that does the pentest. One version is the executive report which
states the conclussions and recommendations, one is the detailed
technical report of what was tested and why. I think this served as
enough proof for the customer, no?
Tom
On 7/13/05, blowfish 448 <blowfish448@hotmail.com> wrote:
>
> Tom, Ralph,
>
> thanks for the input, and I totally agree. Should have been paying more
> attention
> to the wording I used. It's not so much providing a certificate of success,
> here I
> agree with your arguments, but rather an objective statement of penetration
> testing
> has been executed at a certain period in time on infrastructure X at
> customer Y by
> company Z. This so they can show to their customer base they take security
> serious
> and have undergone testing.
>
> From my experience in the financial market customers and partners - e.g.
> other banks -
> of financial organisations asking for such proof is absolutely not so
> uncommon.
>
> Thanks
>
> >On 7/12/05, blowfish 448 <blowfish448@hotmail.com> wrote:
> > > Hi,
> > >
> > > any of you know if any 'standards' or accepted guidelines exist for a
> >letter
> > > or certification
> > > of succesfull resistance to Penetration Testing/Vulnerability
> >Assessment.
> > > Customers often
> > > demand to have a proof delivered by their Penetration Test service
> >provider
> > > to show to their
> > > partners and customers.
> > >
> > > The idea of course is not to disclose sensitive information but to
> >briefly
> > > describe
> > > the environment tested and how - according to which methodologies and
> >the
> > > attack vectors
> > > tested for.
> > >
> > >
> > > Thanks in advance
> > >
> > >
> > >
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT