Full Disclosure mailing list archives
Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 12:37:32 -0500
That will come soon... On Thu, 20 Dec 2007 10:32:51 -0500 "guiness.stout" <guinness.stout () gmail com> wrote:
What kind of grading scale will you use? A through F or maybe a 1 to 10 type scale? I am very interested in your services! On Dec 20, 2007 10:09 AM, Kurt Dillard <kurtdillard () msn com> wrote:Because its absurd to write a review for a service withoutactuallyexperiencing the service. The original poster's messages haveonly hadentertainment value, they've had no value from an informationsecurityperspective. If you'd like to provide a link to your MSN profileandfacebook pages I'll write up a resume for you. Does that soundlike a goodidea? From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf OfEpicSent: Thursday, December 20, 2007 11:56 AM To: c0redump Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] [Professional IT SecurityProviders-Exposed] Cybertrust ( C + ) Isn't ANY review subjective to opinion? I do not understandthe basis ofthis flame. It appears to me that a lot of the reviews on thissite offersome great insight into the companies being presented. Grantedit is anopinion, but that is what a blog is isn't it? On 12/20/07, c0redump <c0redump () ackers org uk> wrote: Exactly. Your 'grading' is based on your personal opinion. Do us all a favour and get a proper job. ----- Original Message ----- From: "guiness.stout" <guinness.stout () gmail com> To: <full-disclosure () lists grok org uk > Sent: Thursday, December 20, 2007 2:05 PM Subject: Re: [Full-disclosure] [Professional IT SecurityProviders-Exposed] Cybertrust ( C + ) > I'm not really clear on how you are grading these companies.I've had> no personal experience with them but I don't decide acompanies> quality of work simply by their website and what informationI get> from some customer support person. These "grades" seempointless and> frankly unfounded. You should reword your grading system tospecify> the ease of use of their websites and not the service theyprovide.> Especially if you haven't ordered any services from them.I'm not> defending anyone here just pointing out some flaws in this"grading."> > On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com>wrote:>> One of our readers made a request that we review Cybertrust >> ("http://www.cybertrust.com"). Cybertrust was recentlyacquired by>> Verizon >> and as a result this review was a bit more complicated andrequired alot >> more digging to complete (In fact its now Cybertrust andNetsec). Never>> the >> less, we managed to dig information specific to Cybertrustout ofVerizon >> representatives. We would tell you that we used the websitefor>> information >> collection, but in all reality the website was useless. Notonly was it>> horribly written and full of marketing fluff, but theservices were not>> clearly defined. >> >> As an example, when you view the Cybertrust services intheir drop down>> menu >> you are presented with the following service offerings:Application>> Security, Assessments, Certification, Compliance/Governance,Consulting,>> Enterprise Security, Identity Management InvestigativeResponse>> /Forensics, >> Managed Security Services, Partner Security Program SecurityManagement>> Program, and SSL Certificates. The first thing you think is"what the>> hell?" >> the second is "ok so they offer 12 services". >> >> Well as you dig into each service you quickly find out thatthey do not>> offer 12 services, but instead they have 12 links to 12different pages>> full >> of marketing fluff. As you read each of the pages in anattempt to wrap>> your >> mind around what they are offering as individually packagedservices>> you're >> left with more questions than answers. So again, what thehell?>> >> Here's an example. Their "Application Security" service pagedoes not>> contain a description about a Web Application Securityservice. In fact,>> it >> doesn't even contain a description about a SystemSoftware/Application>> security service. Instead it contains a super high level,super vagueand >> fluffy description that covers a really general idea of"Application">> security services. When you really read into it you find outthat their>> Application Security service should be broken down intomultiple>> different >> defined service offerings. >> >> Even more frustrating is that their Application Securityservice is a>> consulting service and that they have a separate serviceoffering called>> Consulting. When you read the description for Consulting, itis also>> vague >> and mostly useless, but does cover the "potential" forApplication>> Security. >> >> So, trying to learn anything about Cybertrust from their webpage islike >> trying to pull teeth out of a possessed chicken. We decidedthat wewould >> move on and call Cybertrust to see what we could get out ofthem with a>> conversation. That proved to be a real pain in the ass tooas their>> website >> doesn't list any telephone numbers. We ended up callingverizon andafter >> talking to 4 people we finally found a Cybertrustrepresentative.>> >> At last, a human being that could provide us with usefulinformation and>> answers to our questions about their services. We didreceive about 2mb>> of >> materials from our contact at Cybertrust, but the materialswere all>> marketing fluff, totally useless. That being said, ourconversation with>> the >> representative gave us a very clear understanding of howCybertrust>> delivers >> there services. In all honesty, we were not all thatimpressed.>> >> Cybertrust does perform their own Vulnerability Research andDevelopment>> (or >> so we were told) under the umbrella of ICSAlabs which theyown. Usually>> we'd >> say that this is great because that research is often usedto augment>> services and enhance overall service quality. With respecttoCybertrust, >> we >> couldn't find out what they were doing with their research.They just>> told >> us that they don't release advisories and then refused totell us what>> they >> did with the research. >> >> When we asked them about their services and testingmethodologies, we>> were >> first told that they couldn't discuss that. We were toldthat their>> methodologies were confidential. But after a bit of SocialEngineering>> and >> sweet talking we were able to get more information... >> >> As it turns out, the majority of the Cybertrust servicesrely on what>> they >> say are proprietary automated scanners which were developedin-house.>> Their >> methodology is to run the automated scanners against aspecific targetor >> set of targets, and then to pass the results to a seasonedprofessional.>> That professional then verifies the results via manualtesting and>> produces >> a report that contains the vetted results. >> >> This methodology doesn't really offer any depth and doesn'tdo much to>> raise >> the proverbial security bar. In fact, it is only slightlybetter than>> running a Qualys scan, changing the wording of the report,anddelivering >> that. Quality methodologies should contain no more than 20%automated>> testing and no less than 80% manual testing. Vulnerabilitydiscovery>> should >> be done via manual testing, not just via automated testing. >> >> In defense of Cybertrust, they did say that they would testinaccordance >> with the customers requirements. They also did say that ifthe customer>> wanted 100% manual testing that they would do it. If theywant 100%>> automated "rubber stamp of approval" testing they would dothat too.>> Saying >> it is a lot different than doing it though and we weren'timpressed with>> their standard/default testing methodology as previouslymentioned.>> >> It is important to note that Cybertrust is also a fullservice security>> provider. They offer a wide range of services fromsupporting secure>> product >> development services, to security testing, and even forensicservices.>> With >> that said, their services do not seem to be anythingspecial. In fact,>> they >> seem to be just about average short of their horriblewebsite and>> overwhelming marketing fluff. >> >> It is our recommendation that you choose a differentprovider if you are>> looking for well defined, high quality services. Cybertrustis cloakedin >> a >> thick layer of marketing fluff and frankly doesn't seem tobe very easy>> to >> work with. That being said, they were also not easy toreview. If you>> disagree with this post or have worked with Cybertrust inthe past, then>> please leave us a comment. We're going to give Cybertrust a"C" but if>> you >> can convince us that they deserve a different grade thenwe'll reviseour >> opinion. >> >> Thanks for reading. >> >> -- >> Posted By secreview to Professional IT Security Providers -Exposed at>> 12/19/2007 07:32:00 PM >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html>> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Regards, The Secreview Team http://secreview.blogspot.com Professional IT Security Service Providers - Exposed -- Linux Training - Click here. http://tagline.hushmail.com/fc/Ioyw6h4dF6kmUQwjvkBnduLDmZdXT6KNdqY1JdKtqcR8b3Froa1dNG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- <Possible follow-ups>
- Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + ) SecReview (Dec 20)