Re: Pentest Letter of Achievement/Certificate

["blowfish 448" <blowfish448 () hotmail com>]

John,

thanks, I agree it takes only 5 minutes with a word processor but my 
original question
actually was to know if there is some general standard/best practice with 
such one or two
pager statement - e.g. a good statement should contain at least:

- issue date
- high level description on the environment tested (no details to maintain 
confidentiality)
- procedures, methodology applied while testing
- extent of tests (penetration test, procedure and policy review, change 
management, incident management etc...)
- limitations: no waranty, snapshot of situation at certain point in time 
etc...

and should not contain:

- IP addressing/application details/environment specifics
- results of the testing
- ...

Thanks



> From: John Kinsella <jlk () thrashyour com>
> Reply-To: John Kinsella <jlk () thrashyour com>
> To: blowfish 448 <blowfish448 () hotmail com>
> CC: pen-test () securityfocus com
> Subject: Re: Pentest Letter of Achievement/Certificate
> Date: Wed, 13 Jul 2005 14:46:15 -0700
>
>
> First off, I guess I read between the lines of blowfish's orig. post -
> was trying to provide a seal of approval so to speak, saying that a
> given pen test was conducted in a thorough manner by a respectable
> source.
>
> Did a quick review of the 2.1 docs, what I was thinking of isn't quite
> a letter as you were looking for (that's done in 5 mins with a word
> processor) but there's a seal and verbage on page 11 that "certifies"
> to a degree what's been done.
>
> What it comes down to, though, is if one follows the manual for the
> pentest, and issues a thorough report following the templates - you
> should end up with a fairly thick and useful document.  At that point,
> putting a signed page with a seal on it at the front should satisfy most
> people.
>
> btw, isecom guys - http://www.isecom.org/stamps.htm is dead, altho
> linked to in a public document.  tsk, tsk. :)
>
> John
>
> On Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:
> >
> > Hi John,
> >
> > I checked and in the current available OSSTMM 2.1 version there is a
> > certain 'data sheet'
> > mentioned in the accreditation section. It says however in the document
> > that such data
> > sheet is only available in vs. 2.5 Which I could not trace back. After 
> 2.1
> > the next one set
> > for release is 3.0. Do you know of such 2.5 version maybe?
> >
> >
> > Thanks
> >
> >
> > >From: John Kinsella <jlk () thrashyour com>
> > >Reply-To: John Kinsella <jlk () thrashyour com>
> > >To: blowfish 448 <blowfish448 () hotmail com>
> > >CC: pen-test () securityfocus com
> > >Subject: Re: Pentest Letter of Achievement/Certificate
> > >Date: Tue, 12 Jul 2005 19:29:43 -0700
> > >
> > >I think http://www.isecom.org/osstmm/ might cover what you're looking
> > >for...
> > >
> > >John
> > >
> > >On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
> > >> Hi,
> > >>
> > >> any of you know if any 'standards' or accepted guidelines exist for a
> > >> letter or certification
> > >> of succesfull resistance to Penetration Testing/Vulnerability
> > >Assessment.
> > >> Customers often
> > >> demand to have a proof delivered by their Penetration Test service
> > >provider
> > >> to show to their
> > >> partners and customers.
> > >>
> > >> The idea of course is not to disclose sensitive information but to
> > >briefly
> > >> describe
> > >> the environment tested and how - according to which methodologies and
> > >the
> > >> attack vectors
> > >> tested for.
> > >>
> > >>
> > >> Thanks in advance
> > >>
> > >>
> >
> >