Penetration Testing mailing list archives
Re: My Frustrations
From: Dotzero <dotzero () gmail com>
Date: Thu, 18 Dec 2008 17:18:24 -0500
On Wed, Dec 17, 2008 at 2:19 PM, Adriel T. Desautels <ad_lists () netragard com> wrote:
I recently wrote this blog entry and wanted to get some comments from readers of this list. I'm frustrated with the caliber of the people that are offering security services and posing as experts, thats the subject of the post. Please comment, insult, whatever... I'm interested. http://snosoft.blogspot.com/ Adriel T. Desautels ad_lists () netragard com
As security curmudgeon pointed out, this is not a new problem. I think it has gotten worse with the advent of PCI and other requirements. A rush of companies wanting to "buy" security.... "how much is 10 pounds of security please?". Nature abhors a void. I've seen competent people at large firms and I've seen competent people at small firms. Conversely I've seen incompetents at both types as well. I've pretty much always worked client side. I think the answer is that it really comes down to caveat emptor. Most potential clients don't even have the ability to ask the right questions and parse the answers. Even if someone hands them the questions they may have difficulty evaluating the answers. There are ways for client side staff to mitigate the issue. The first is to participate in local IT security groups. I'd offer as an example The Northeast Ohio Infosec Forum which meets once a month (http://neoinfosecforum.org). Maybe 30-40 people show up at a meeting. Mix of vendor side and client side. This provides someone local an opportunity to ask questions (who do you use for ______ and what do you like/dislike about the service they provide you). Ask enough different people about someone and you should start to get a sense of whether they are real or memorex. This also works if someone checks around on companies that are not local...use lists, forums, etc. Ask for references.... and check them. Attend conferences. Blackhat would be a good choice for meeting other client side folks and comparing notes. If someone wanted free they could go to that one put on by the searchsecurity folks in Chicago each year or something comparable. Anyone remember gobbles rant at DC10 (I might be off a year) about not getting paid for "doing security" like others? What about CDC or other folks back in the day? They certainly didn't look "professional". They didn't act professional. They certainly knew what they were talking about in the areas they were talking about, doing or writing tools/exploits. Remember the discussions about whether a "real" security company would hire a hacker? I'm going to assert that over time things will sort themselves out. The incompetents will be weeded out (because their clients will suffer pain and sue them perhaps...or break their kneecaps). The barrier to entry will probably rise a bit higher. This too shall pass. I guess in fairness someone should do a blog post about the clients <G>. H.D. if you don't want clients checking up on postings then use a pseudonym, preferably one that you hold a little close. I don't make a big deal about hiding behind this one. I jsut use it to show that my postings are personal and not on behalf of my employer. Another alternative to the issue is to have closed lists where the participants are vetted. I'm on a few of those and they vary in quality as well... go figure. Just a few rambling thoughts. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: My Frustrations, (continued)
- Re: My Frustrations Nick Besant (Dec 18)
- RE: My Frustrations THOMAS, DEDRIC (ATTCLSMA) (Dec 18)
- Re: My Frustrations Nick Besant (Dec 18)
- Re: My Frustrations security curmudgeon (Dec 18)
- Re: My Frustrations Adriel T. Desautels (Dec 18)
- RE: My Frustrations suess13 (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- RE: My Frustrations Alex Eden (Dec 19)
- RE: My Frustrations Nick Vaernhoej (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 18)
- Re: My Frustrations Pete Herzog (Dec 20)
- Message not available
- Re: My Frustrations Pete Herzog (Dec 21)
- RE: My Frustrations Shenk, Jerry A (Dec 18)
- Re: My Frustrations tony_l_turner (Dec 18)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- Re: My Frustrations Adriel T. Desautels (Dec 23)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)