Full Disclosure mailing list archives
Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 12:26:52 -0500
Greetings list. We've had an abundant amount of questions and challenges with respect to the grades that we give to businesses. As a result we will be posting a grade key on our site in the near future. At the risk of being redundant, our opinions of companies are formed by approaching the companies as prospective buyers. We have deep technical conversations with managers and team leaders whenever possible. In conjunction with that we collect a wide array of information including but not limited to sample reports, testing methodologies, team overviews, web page content, research performed, and in some cases even proposals. Even with that our reviews are not perfect which is why we are willing to change our opinion provided that someone can help us change it legitimately. It is also for this reason why we allow people to post comments to the blog based on their experience with particular companies. It is good to say that so far, based on comments from readers, we've been spot on with our reviews. We have yet to have anyone prove to us that our reviews were wrong, bad, or unfair. Sure we've had the teenage trolls bashing us, but they really don't count. If you (the list) would like to see us change our grading from A to F to something else, then please provide us with an example of what you'd like. If enough people request it then we'll set up a vote and choose a different standard. Other than that, keep reading the blog and we'll post our key soon. For now just remember A == Best and F == Worst... but then again, isn't that obvious? Once we collect those materials On Thu, 20 Dec 2007 09:05:36 -0500 "guiness.stout" <guinness.stout () gmail com> wrote:
I'm not really clear on how you are grading these companies. I've had no personal experience with them but I don't decide a companies quality of work simply by their website and what information I get from some customer support person. These "grades" seem pointless and frankly unfounded. You should reword your grading system to specify the ease of use of their websites and not the service they provide. Especially if you haven't ordered any services from them. I'm not defending anyone here just pointing out some flaws in this "grading." On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com> wrote:One of our readers made a request that we review Cybertrust ("http://www.cybertrust.com"). Cybertrust was recently acquiredby Verizonand as a result this review was a bit more complicated andrequired a lotmore digging to complete (In fact its now Cybertrust andNetsec). Never theless, we managed to dig information specific to Cybertrust outof Verizonrepresentatives. We would tell you that we used the website forinformationcollection, but in all reality the website was useless. Not onlywas ithorribly written and full of marketing fluff, but the serviceswere notclearly defined. As an example, when you view the Cybertrust services in theirdrop down menuyou are presented with the following service offerings:ApplicationSecurity, Assessments, Certification, Compliance/Governance,Consulting,Enterprise Security, Identity Management Investigative Response/Forensics,Managed Security Services, Partner Security Program SecurityManagementProgram, and SSL Certificates. The first thing you think is"what the hell?"the second is "ok so they offer 12 services". Well as you dig into each service you quickly find out that theydo notoffer 12 services, but instead they have 12 links to 12different pages fullof marketing fluff. As you read each of the pages in an attemptto wrap yourmind around what they are offering as individually packagedservices you'releft with more questions than answers. So again, what the hell? Here's an example. Their "Application Security" service pagedoes notcontain a description about a Web Application Security service.In fact, itdoesn't even contain a description about a SystemSoftware/Applicationsecurity service. Instead it contains a super high level, supervague andfluffy description that covers a really general idea of"Application"security services. When you really read into it you find outthat theirApplication Security service should be broken down into multipledifferentdefined service offerings. Even more frustrating is that their Application Security serviceis aconsulting service and that they have a separate serviceoffering calledConsulting. When you read the description for Consulting, it isalso vagueand mostly useless, but does cover the "potential" forApplication Security.So, trying to learn anything about Cybertrust from their webpage is liketrying to pull teeth out of a possessed chicken. We decided thatwe wouldmove on and call Cybertrust to see what we could get out of themwith aconversation. That proved to be a real pain in the ass too astheir websitedoesn't list any telephone numbers. We ended up calling verizonand aftertalking to 4 people we finally found a Cybertrustrepresentative.At last, a human being that could provide us with usefulinformation andanswers to our questions about their services. We did receiveabout 2mb ofmaterials from our contact at Cybertrust, but the materials wereallmarketing fluff, totally useless. That being said, ourconversation with therepresentative gave us a very clear understanding of howCybertrust deliversthere services. In all honesty, we were not all that impressed. Cybertrust does perform their own Vulnerability Research andDevelopment (orso we were told) under the umbrella of ICSAlabs which they own.Usually we'dsay that this is great because that research is often used toaugmentservices and enhance overall service quality. With respect toCybertrust, wecouldn't find out what they were doing with their research. Theyjust toldus that they don't release advisories and then refused to tellus what theydid with the research. When we asked them about their services and testingmethodologies, we werefirst told that they couldn't discuss that. We were told thattheirmethodologies were confidential. But after a bit of SocialEngineering andsweet talking we were able to get more information... As it turns out, the majority of the Cybertrust services rely onwhat theysay are proprietary automated scanners which were developed in-house. Theirmethodology is to run the automated scanners against a specifictarget orset of targets, and then to pass the results to a seasonedprofessional.That professional then verifies the results via manual testingand producesa report that contains the vetted results. This methodology doesn't really offer any depth and doesn't domuch to raisethe proverbial security bar. In fact, it is only slightly betterthanrunning a Qualys scan, changing the wording of the report, anddeliveringthat. Quality methodologies should contain no more than 20%automatedtesting and no less than 80% manual testing. Vulnerabilitydiscovery shouldbe done via manual testing, not just via automated testing. In defense of Cybertrust, they did say that they would test inaccordancewith the customers requirements. They also did say that if thecustomerwanted 100% manual testing that they would do it. If they want100%automated "rubber stamp of approval" testing they would do thattoo. Sayingit is a lot different than doing it though and we weren'timpressed withtheir standard/default testing methodology as previouslymentioned.It is important to note that Cybertrust is also a full servicesecurityprovider. They offer a wide range of services from supportingsecure productdevelopment services, to security testing, and even forensicservices. Withthat said, their services do not seem to be anything special. Infact, theyseem to be just about average short of their horrible websiteandoverwhelming marketing fluff. It is our recommendation that you choose a different provider ifyou arelooking for well defined, high quality services. Cybertrust iscloaked in athick layer of marketing fluff and frankly doesn't seem to bevery easy towork with. That being said, they were also not easy to review.If youdisagree with this post or have worked with Cybertrust in thepast, thenplease leave us a comment. We're going to give Cybertrust a "C"but if youcan convince us that they deserve a different grade then we'llrevise ouropinion. Thanks for reading. -- Posted By secreview to Professional IT Security Providers -Exposed at12/19/2007 07:32:00 PM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Regards, The Secreview Team http://secreview.blogspot.com Professional IT Security Service Providers - Exposed -- Click to learn how to become a world famous writer or poet. http://tagline.hushmail.com/fc/Ioyw6h4d5YXMhO9GyzS1Aset0uvsnjfR4lqmTKEjRGA6ezTy2t6Vyo/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) elazar (Dec 20)
- <Possible follow-ups>
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Epic (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) reepex (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Fredrick Diggle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Dude VanWinkle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) coderman (Dec 20)