From: John Kinsella (jlk@thrashyour.com)
Date: Wed Jul 13 2005 - 23:18:04 EDT
Completely concur, but for some people ya just gotta put one of these on
there:
Kidding aside, I think the OSSTMM is a good reference for alot of
people, and as a client I think I'd feel pretty confident that a good
job had been done if this methodology had been done with gusto by a
pentester I hired. The seal/letter's basically a gold star for those
who know, and a blinky light for the management. (ok I rank it
significantly higher than the MS NT thing, but ya get the idea,
hopefully)
John
On Wed, Jul 13, 2005 at 05:26:20PM -0400, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Isn;t the final report pentesters report what is being asked for here?(0)
> Or are companies really hung up on and seeking gold stars to post in public
> areas and at the bottom of stationary? Kinda like the certifications that
> M$ got for NT back in the late 90's I guess, meaningless in any env other
> then the single system they had tested....
>
>
> Thanks,
>
> Ron DuFresne
>
> (0) in most cases that pentesters report is likely to be backed with the
> corp documentation showing how they mitigated the issues found during the
> pentest. Afterall, few companeis should ever comeout of a thourough
> penttest unscathed. So they document how they corrected what was
> discerovered, and perhaps have another outside party verify the
> 'corrections'. but gold starts and report cards, or neat little
> certificates in frames? <shakes his head>
>
>
>
>
> On Tue, 12 Jul 2005, John Kinsella wrote:
>
> >I think http://www.isecom.org/osstmm/ might cover what you're looking
> >for...
> >
> >John
> >
> >On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
> >>Hi,
> >>
> >>any of you know if any 'standards' or accepted guidelines exist for a
> >>letter or certification
> >>of succesfull resistance to Penetration Testing/Vulnerability Assessment.
> >>Customers often
> >>demand to have a proof delivered by their Penetration Test service
> >>provider
> >>to show to their
> >>partners and customers.
> >>
> >>The idea of course is not to disclose sensitive information but to briefly
> >>describe
> >>the environment tested and how - according to which methodologies and the
> >>attack vectors
> >>tested for.
> >>
> >>
> >>Thanks in advance
> >>
> >>
> >
>
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
> -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFC1Yb/st+vzJSwZikRAilGAKDCOxyj3Fox77OhX21BgmkC7I1r3QCgxPYB
> 6R+l1D8nti84/RaOEfoUE5c=
> =aHj2
> -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT