RE: Pentest Letter of Achievement/Certificate

From: Paul Fields (Infosec@plainenglishsecurity.com)
Date: Thu Jul 14 2005 - 15:18:59 EDT

• Next message: dinckan@uekae.tubitak.gov.tr: "GPRS Security"
• Previous message: Juda Barnes: "Pen Test help"
• In reply to: Travis Good: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: Mike Klingler: "Re: Pentest Letter of Achievement/Certificate"
• Reply: Mike Klingler: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Blowfish's original question;
> >> > any of you know if any 'standards' or accepted
> >> > guidelines exist for a letter or certification
> >> > of succesfull resistance to Penetration Testing

As others have pointed out make a letter, name your methodology, sign it
and date it.

OSSTMM is one, others use NSA's INFOSEC Assessment Methodology

> >> > Customers often demand to have a proof delivered by
> >> > their Penetration Test service provider to show to their
> >> > partners and customers.

Same as Y2K compliance was asked for by partners/customers, and as of
LAST MONTH security standards compliance are being asked of anyone who
has a major credit card merchant account.

Payment Card Industry data security standards specifically ask for
quarterly vulnerability scans and annual pen testing.

Gramm-Leach-Bliley Act also asks for periodic testing of systems.

Now that they ask for it, how do you prove what you've done?

One of the reasons we use repeatable methodologies in audits is the
assumption that someone else using the same knowledge, tools, and
techniques could easily come up with the same results.

Travis' Response;
> Alot of people accept this kind of unrealistic request from
> a client because 1) they dont know any better

If they are in certain industries their client can't do business without
something that shows they pen test their systems.

> 2) are unable to educate their client and wont turn down
> a gig even when their client is unrealistic

Maybe this should be laid out clearly when you define the engagement, if
the customer needs the test done to meet a regulatory or other
requirement, then one of the things you should establish is whether or
not your testing fulfils their obligation. If the technical requirements
for their industry haven't been defined, use the best methodology you
have, document the test, and if next year somebody comes out with
detailed technical requirements use them on the next audit.

> Security audits are not marketing tools.

Oddly enough I don't think anyone here said that they were, but they are
becoming a cost of doing business, and minimum standard of due care.

Paul Fields

• Next message: dinckan@uekae.tubitak.gov.tr: "GPRS Security"
• Previous message: Juda Barnes: "Pen Test help"
• In reply to: Travis Good: "Re: Pentest Letter of Achievement/Certificate"
• Next in thread: Mike Klingler: "Re: Pentest Letter of Achievement/Certificate"
• Reply: Mike Klingler: "Re: Pentest Letter of Achievement/Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT