Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + )

[<elazar () hushmail com>]

I don't mind answering some questions, however we had used them for 
a very basic scan so I couldn't tell you anything as far as their 
more in-depth services.

Elazar

On Thu, 20 Dec 2007 14:45:04 -0500 SecReview 
<secreview () hushmail com> wrote:
> Awesome, 
>   So you were an RA Security customer, would you be willing to 
> answer a few questions that we have so that we can revise our 
> post? 
> We don't want to post anything that is not accurate. Your help 
> would be very much appreciated and we'd keep you anonymous. 
>
> On Thu, 20 Dec 2007 11:49:23 -0500 elazar () hushmail com wrote:
> > "Public facing websites are usually outsourced to professional 
> > graphics  
> > arts firms and developed under the supervision of the Director of 
>
> > Business Development.  It's usually a solid pile of fluffy 
> > buzzwords and crap."
> >
> > Its sad how true this is. What makes it worse is half the time 
> the 
> > Director of Business Development doesn't even understand what the 
>
> > company does. Unfortunately, in many companies, there is a huge 
> > disconnect between the marketing side and those who actually 
> > deliver the services. Someone had mentioned before that reviewing 
>
> > companies based on their site was like reviewing a restaurant 
> > based 
> > on their menu. Actually, this is worse, because at least at a 
> > restaurant, generally, what is on the menu is what is served, 
> this 
> > isn't always the case with a corporate website. You have a very 
> > good idea, however, trying to cut through marketing fluff on 
> > website isn't going to leave you with much of anything because 
> > there is nothing there to begin with.
> >
> > On a side note, you had reviewed RA Security. My company has used 
>
> > them in the past, and I do agree that their site may be a bit 
> > disorganized but I have found them to be very professional and 
> > easy 
> > to work with.
> >
> > Elazar
> >
> > On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains () doctorunix com> 
>
> > wrote:
> > > I am a pentester and IDS/IPS administrator for a large-ish 
> > > security  
> > > firm.  None of our tech staff worked on the corporate web site.  
>
> > > We  
> > > are too busy, and frankly, it's just not my bag.
> > >
> > > Public facing websites are usually outsourced to professional 
> > > graphics  
> > > arts firms and developed under the supervision of the Director 
> of 
> > > Business Development.  It's usually a solid pile of fluffy 
> > > buzzwords  
> > > and crap.
> > >
> > > I like where you are going, you're just not there yet.  Your  
> > > methodology is weak.  You need to review the "actionability" of 
> > > the  
> > > deliverables.  Ask for sanitized sample reports.
> > >
> > > The argument of who has the most leet hackers is unmeasurable 
> and 
> > > pointless.  For commercial security firms the real criteria 
> needs 
> > > to  
> > > be focused on the business process that helps their clients 
> > > improve  
> > > their overall security posture.  Not just, "I found an XSS on 
> > your 
> > > site", but how is the security infrastructure being managed and  
>
> > > improved.
> > >
> > > Try looking at the "actionability" aspect of the companies'  
> > > deliverables and see if you don't get better findings.
> > >
> > > Some possible things to look for:
> > >   Do they include a screen shot for every finding?
> > >   Do they correlate each finding to a specific spot of code in 
> > > the  
> > > vulnerable app?
> > >   Do they work with your developers to assist with remediation 
> > > and  
> > > permanent resolution?
> > >   How much app dev experience do the pentesters have?
> > >   Do they have Language and framework specialists on staff to 
> > > review  
> > > each finding and make relevant remediation recommendations?
> > >   Do they meet with the security team, the networking team, the 
>
> > > server support team and the developer team separately in break-
> > out 
> > > sessions with specialists in each area?
> > >   Does every finding include a recommendation for permanent 
> > > remediation?
> > >
> > > Please get better.  I like where you are going, you're just not 
> > > there yet.
> > >
> > > t.r.
> > >
> > > -------------------------------------------------
> > > Email solutions, MS Exchange alternatives and extrication,
> > > security services, systems integration.
> > > Contact:    services () doctorunix com
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > --
> > Click to get free info on remodeling your kitchen.
> > http://tagline.hushmail.com/fc/Ioyw6h4dczm28j7Wd3MPtFMlayFrrtoAqmD
> Z
> > rCwLiFsZCzCbZLKzQs/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Regards, 
>      The Secreview Team
>      http://secreview.blogspot.com
>
> --
> Click here to become a professional counselor in less time than 
> you think.
> http://tagline.hushmail.com/fc/Ioyw6h4fPKE3wNePOtuzWxeloWYVf2nXDva4
> 1gAKBmbvB4fgeeaWMy/

--
Click now to save up to 70% on picture frames!
http://tagline.hushmail.com/fc/Ioyw6h4dcDGdkE5d5GgWPjhvXCykvouVwGm5nrVt0wrucMQYvd0Z6Y/
>      Professional IT Security Service Providers - Exposed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/