Penetration Testing mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 12 Sep 2000 09:24:42 -0700
Bennett, Thank you for your view point. Some high end consulting services state as one of the differiantors that they utilize Industry Best Practices when the are hired for engagements especially penetration testing. If you are stating that it is hard to define Industry Best Practices since InfoSec is a moving target and no two firms or individuals will run the available tools the same, so how does an organization then pick a reputable firm to hire? And then how does one validate their findings then?? /mark At 04:53 PM 9/11/00 -0400, Bennett Todd wrote:
2000-09-11-13:34:03 Frasnelli, Dan: > > But what really is Industry Best Practices. > > I imagine SANS or similar group has a list of recommended practices. I've completely abandoned SANS; they seem to be a pack of utter, incurable, incompetant, unprofessional morons. They specifically endorse and recommend sendmail and BIND, and refuse to listen to discussions critical of these recommendations. That's enough, as far as I'm concerned; anything that has the SANS name on it can be ignored. As of this instant, the most vocal and active group I know of promoting good security practice is securityfocus.com, thanks to the mailing lists they host. If I had to hunt for other organizations I respect at this point, it'd get a lot harder; the other good ones have either gone bad, or gone quiet, as far as I can tell. The next closest I know of would be Counterpane Systems, but that focuses on crypto rather than on security in general. As for the topic behind your mention of Industry Best Practices, I don't advocate application of that phrase in the field of internet security; this field is too new, and is evolving too rapidly, for there to be any accepted Best Practices. Contrast with e.g. finance, where for e.g. financial accounting reporting requirements there are Industry Best Practices which evolve pretty rapidly, it takes a professional to stay on top of them --- but accounting is arguably a 5000+- year old field. With the field completely revolving, all old truths being replaced by a completely new set, in just a few years, there's no time to begin to establish Best Practice. -Bennett
Current thread:
- Re: [PEN-TEST] How to "break into" the Pen-Testing field, (continued)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field INOM (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bob Radvanovsky (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Dragos Ruiu (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bennett Todd (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Carric Dooley (Sep 12)
- Message not available
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Adrian Lazar (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 13)
- Re: [PEN-TEST] Visio bites Carric Dooley (Sep 14)
- Re: [PEN-TEST] Visio bites batz (Sep 14)
- [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) batz (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Jose Nazario (Sep 12)