Re: Pentest Letter of Achievement/Certificate

From: John Kinsella (jlk@thrashyour.com)
Date: Wed Jul 13 2005 - 17:46:15 EDT

• Next message: Mark Teicher: "Re: Pentest Letter of Achievement/Certificate"
• Previous message: R. DuFresne: "Re: Pentest Letter of Achievement/Certificate"
• In reply to: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Reply: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First off, I guess I read between the lines of blowfish's orig. post -
was trying to provide a seal of approval so to speak, saying that a
given pen test was conducted in a thorough manner by a respectable
source.

Did a quick review of the 2.1 docs, what I was thinking of isn't quite
a letter as you were looking for (that's done in 5 mins with a word
processor) but there's a seal and verbage on page 11 that "certifies"
to a degree what's been done.

What it comes down to, though, is if one follows the manual for the
pentest, and issues a thorough report following the templates - you
should end up with a fairly thick and useful document. At that point,
putting a signed page with a seal on it at the front should satisfy most
people.

btw, isecom guys - http://www.isecom.org/stamps.htm is dead, altho
linked to in a public document. tsk, tsk. :)

John

On Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:
>
> Hi John,
>
> I checked and in the current available OSSTMM 2.1 version there is a
> certain 'data sheet'
> mentioned in the accreditation section. It says however in the document
> that such data
> sheet is only available in vs. 2.5 Which I could not trace back. After 2.1
> the next one set
> for release is 3.0. Do you know of such 2.5 version maybe?
>
>
> Thanks
>
>
> >From: John Kinsella <jlk@thrashyour.com>
> >Reply-To: John Kinsella <jlk@thrashyour.com>
> >To: blowfish 448 <blowfish448@hotmail.com>
> >CC: pen-test@securityfocus.com
> >Subject: Re: Pentest Letter of Achievement/Certificate
> >Date: Tue, 12 Jul 2005 19:29:43 -0700
> >
> >I think http://www.isecom.org/osstmm/ might cover what you're looking
> >for...
> >
> >John
> >
> >On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
> >> Hi,
> >>
> >> any of you know if any 'standards' or accepted guidelines exist for a
> >> letter or certification
> >> of succesfull resistance to Penetration Testing/Vulnerability
> >Assessment.
> >> Customers often
> >> demand to have a proof delivered by their Penetration Test service
> >provider
> >> to show to their
> >> partners and customers.
> >>
> >> The idea of course is not to disclose sensitive information but to
> >briefly
> >> describe
> >> the environment tested and how - according to which methodologies and
> >the
> >> attack vectors
> >> tested for.
> >>
> >>
> >> Thanks in advance
> >>
> >>
>
>

• Next message: Mark Teicher: "Re: Pentest Letter of Achievement/Certificate"
• Previous message: R. DuFresne: "Re: Pentest Letter of Achievement/Certificate"
• In reply to: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Reply: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT