Re: new pen-test tool!

[Árpád Magosányi <mag () magwas rulez org>]

This looks like a valuable tool.
But I would suggest to rethink some of the question of trust metrics,
most importantly the first one.
Size of the vendor have nothing to do with the level of trust you should
have in it.
If you have ever worked in a shop which is not at the bottom of the food
chain, you will be able to think of vendors with just 10-15 (or even
less) employees who are extremely responsive and trustworthy. And you
will also have a bunch of stories about big names screwing you despite
of high value support contracts (Oracle is notorious for doing that).
There are whole countries where big names have no technical competence
whatsoever. Yes, they could bring in someone if shit happens, but
experience have shown that they won't.

I would suggest to ask about the vendor's size relative to your own (not
too small, not too big), whether it actually have the competence, and
how important is your business to you. And you should look for
overtrusting the vendor as well: question #3 is a good start, but what
you need is not "similar" product or service, but the exact same. You
will not be able to change your mission critical application or
enterprise bus overnight, even if there are plenty of software
developers and bus solutions out there. What you need is an active pool
of developers and operators working on your instance of mission critical
stuff continously and seeing each other's work, so they are fully aware
that they are interchangeable. (And you should be wise enough to give a
high enough profit margin for them.)


On 07/03/2014 01:44 PM, Pete Herzog wrote:
[]
> http://archon.thewatchers.net/ISECOM/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/