Re: Pentest Letter of Achievement/Certificate

From: Travis Good (tgood@mindsecurity.net)
Date: Thu Jul 14 2005 - 00:17:57 EDT

• Next message: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Previous message: Mark Teicher: "Re: Pentest Letter of Achievement/Certificate"
• In reply to: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Reply: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Reply: Paul Fields: "RE: Pentest Letter of Achievement/Certificate"
• Reply: Matthew J. Harmon: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.hackersafe.com
They even offer a little icon the client can post on their web page that
says they are safe! It also tells when the last scans were done.

This is similar to the "we are secure. We use SSL encryption"

Alot of people accept this kind of unrealistic request from a client
because 1) they dont know any better, 2) are unable to educate their
client and wont turn down a gig even when their client is unrealistic
or 3) dont care and just want money.

Security audits are not marketing tools.

Just my .02

On Wed, 13 Jul 2005, blowfish 448 wrote:

>
> Tom, Ralph,
>
> thanks for the input, and I totally agree. Should have been paying more
> attention
> to the wording I used. It's not so much providing a certificate of success,
> here I
> agree with your arguments, but rather an objective statement of penetration
> testing
> has been executed at a certain period in time on infrastructure X at customer
> Y by
> company Z. This so they can show to their customer base they take security
> serious
> and have undergone testing.
>
>> From my experience in the financial market customers and partners - e.g.
> other banks -
> of financial organisations asking for such proof is absolutely not so
> uncommon.
>
> Thanks
>
>> On 7/12/05, blowfish 448 <blowfish448@hotmail.com> wrote:
>> > Hi,
>> >
>> > any of you know if any 'standards' or accepted guidelines exist for a
>> letter
>> > or certification
>> > of succesfull resistance to Penetration Testing/Vulnerability Assessment.
>> > Customers often
>> > demand to have a proof delivered by their Penetration Test service
>> provider
>> > to show to their
>> > partners and customers.
>> >
>> > The idea of course is not to disclose sensitive information but to
>> briefly
>> > describe
>> > the environment tested and how - according to which methodologies and the
>> > attack vectors
>> > tested for.
>> >
>> >
>> > Thanks in advance
>> >
>> >
>> >
>
>

Travis Good, CISSP, IAM

• Next message: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Previous message: Mark Teicher: "Re: Pentest Letter of Achievement/Certificate"
• In reply to: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Reply: John Kinsella: "Re: Pentest Letter of Achievement/Certificate"
• Reply: Paul Fields: "RE: Pentest Letter of Achievement/Certificate"
• Reply: Matthew J. Harmon: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT