Full Disclosure mailing list archives
Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 12:35:36 -0500
Trains, Thank you for the good email. We'll take your suggestions into consideration. We do already ask for sample reports, but the questions that you provide later are great. Thanks again! On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains () doctorunix com> wrote:
I am a pentester and IDS/IPS administrator for a large-ish security firm. None of our tech staff worked on the corporate web site. We are too busy, and frankly, it's just not my bag. Public facing websites are usually outsourced to professional graphics arts firms and developed under the supervision of the Director of Business Development. It's usually a solid pile of fluffy buzzwords and crap. I like where you are going, you're just not there yet. Your methodology is weak. You need to review the "actionability" of the deliverables. Ask for sanitized sample reports. The argument of who has the most leet hackers is unmeasurable and pointless. For commercial security firms the real criteria needs to be focused on the business process that helps their clients improve their overall security posture. Not just, "I found an XSS on your site", but how is the security infrastructure being managed and improved. Try looking at the "actionability" aspect of the companies' deliverables and see if you don't get better findings. Some possible things to look for: Do they include a screen shot for every finding? Do they correlate each finding to a specific spot of code in the vulnerable app? Do they work with your developers to assist with remediation and permanent resolution? How much app dev experience do the pentesters have? Do they have Language and framework specialists on staff to review each finding and make relevant remediation recommendations? Do they meet with the security team, the networking team, the server support team and the developer team separately in break-out sessions with specialists in each area? Does every finding include a recommendation for permanent remediation? Please get better. I like where you are going, you're just not there yet. t.r. ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services () doctorunix com
Regards, The Secreview Team http://secreview.blogspot.com Professional IT Security Service Providers - Exposed -- Click here to become a professional counselor in less time than you think. http://tagline.hushmail.com/fc/Ioyw6h4fPKE8Ik1YtRUUK9exFNFYlndrT9SAkHhPa9B3Uj1WNuh90U/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) elazar (Dec 20)
- <Possible follow-ups>
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Epic (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) reepex (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Fredrick Diggle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Dude VanWinkle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) coderman (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Fredrick Diggle (Dec 20)