Full Disclosure mailing list archives
Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + )
From: <elazar () hushmail com>
Date: Thu, 20 Dec 2007 15:39:20 -0500
I don't mind answering some questions, however we had used them for a very basic scan so I couldn't tell you anything as far as their more in-depth services. Elazar On Thu, 20 Dec 2007 14:45:04 -0500 SecReview <secreview () hushmail com> wrote:
Awesome, So you were an RA Security customer, would you be willing to answer a few questions that we have so that we can revise our post? We don't want to post anything that is not accurate. Your help would be very much appreciated and we'd keep you anonymous. On Thu, 20 Dec 2007 11:49:23 -0500 elazar () hushmail com wrote:"Public facing websites are usually outsourced to professional graphics arts firms and developed under the supervision of the Director ofBusiness Development. It's usually a solid pile of fluffy buzzwords and crap." Its sad how true this is. What makes it worse is half the timetheDirector of Business Development doesn't even understand what thecompany does. Unfortunately, in many companies, there is a huge disconnect between the marketing side and those who actually deliver the services. Someone had mentioned before that reviewingcompanies based on their site was like reviewing a restaurant based on their menu. Actually, this is worse, because at least at a restaurant, generally, what is on the menu is what is served,thisisn't always the case with a corporate website. You have a very good idea, however, trying to cut through marketing fluff on website isn't going to leave you with much of anything because there is nothing there to begin with. On a side note, you had reviewed RA Security. My company has usedthem in the past, and I do agree that their site may be a bit disorganized but I have found them to be very professional and easy to work with. Elazar On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains () doctorunix com>wrote:I am a pentester and IDS/IPS administrator for a large-ish security firm. None of our tech staff worked on the corporate web site.We are too busy, and frankly, it's just not my bag. Public facing websites are usually outsourced to professional graphics arts firms and developed under the supervision of the DirectorofBusiness Development. It's usually a solid pile of fluffy buzzwords and crap. I like where you are going, you're just not there yet. Your methodology is weak. You need to review the "actionability" of the deliverables. Ask for sanitized sample reports. The argument of who has the most leet hackers is unmeasurableandpointless. For commercial security firms the real criterianeedsto be focused on the business process that helps their clients improve their overall security posture. Not just, "I found an XSS onyoursite", but how is the security infrastructure being managed andimproved. Try looking at the "actionability" aspect of the companies' deliverables and see if you don't get better findings. Some possible things to look for: Do they include a screen shot for every finding? Do they correlate each finding to a specific spot of code in the vulnerable app? Do they work with your developers to assist with remediation and permanent resolution? How much app dev experience do the pentesters have? Do they have Language and framework specialists on staff to review each finding and make relevant remediation recommendations? Do they meet with the security team, the networking team, theserver support team and the developer team separately in break-outsessions with specialists in each area? Does every finding include a recommendation for permanent remediation? Please get better. I like where you are going, you're just not there yet. t.r. ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services () doctorunix com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Click to get free info on remodeling your kitchen. http://tagline.hushmail.com/fc/Ioyw6h4dczm28j7Wd3MPtFMlayFrrtoAqmDZrCwLiFsZCzCbZLKzQs/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Regards, The Secreview Team http://secreview.blogspot.com -- Click here to become a professional counselor in less time than you think. http://tagline.hushmail.com/fc/Ioyw6h4fPKE3wNePOtuzWxeloWYVf2nXDva4 1gAKBmbvB4fgeeaWMy/
-- Click now to save up to 70% on picture frames! http://tagline.hushmail.com/fc/Ioyw6h4dcDGdkE5d5GgWPjhvXCykvouVwGm5nrVt0wrucMQYvd0Z6Y/
Professional IT Security Service Providers - Exposed
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ), (continued)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Epic (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) reepex (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) don bailey (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Fredrick Diggle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Dude VanWinkle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) coderman (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) Fredrick Diggle (Dec 20)
- Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) SecReview (Dec 20)