Penetration Testing mailing list archives
Re: Evaluating Pen Testers
From: Andre Gironda <andreg () gmail com>
Date: Thu, 15 Apr 2010 22:02:08 -0500
On Thu, Apr 15, 2010 at 2:49 PM, Daniel Kennedy <danielkennedy74 () gmail com> wrote:
At this point you're resorting to ad hominem attacks or misdirections
At some point either one of us should have de-escalated any arguments that were thought to be attacks. I never thought I was attacking you, but certainly you seem to have taken it that way. Or, we could have kept it off the list. I'm going to delete anything in this thread that I feel that I have to defend, accept your corrections, and make some of my own. Hopefully the list gets something out of all of this.
I've been a member of both at various times, but I wasn't talking about myself I was talking about evaluating a potential penetration testing partner. I was suggesting that not every capable tester is necessarily also a member of OWASP.
I think I've met one penetration-tester in my whole life who was a member of OWASP. Most of the time, it's companies. This particular individual is his own company, so the lines blur. Note that Gotham Digital Science is both an OWASP member and CHECK certified (this is an example for your reference and my amusement).
Why? Isn't an alert box or !exploitable output (especially peer/tool> reviewed) enough for you?In web application security testing, both of those things are proof of exploitation, falling under what would count as supplying a proof of exploitation.
Hooray! I agree, but there are many people out there who do not.
Somehow I'm sure we don't disagree on much. You just seem to be new and I just feel like I'm over-educating you for free.A search on linkedin, Google, or whatever takes about two seconds and saves you from making asinine statements like this one. But if I need more help I'll be sure to give Gotham Digital Science a call.
I'm really not the expert that I'm making myself out to be, but I am a B.S. detector. I'm not saying that anything you've said so far is B.S., but I'm certainly trying to push you to fall on your face if that's what you want to do. You haven't fallen yet, but you have made some mistakes. Such as the fact that your attempts at guessing who I am have failed.
Background check companies (you definitely want one that is listed on napbs.com) are notoriously expensiveNot really, but if you've never been involved in having background checks done for a company, I could see why someone might think that.
Hah, well I've only been the one that causes the expense of background checks to go up, but I am familiar with the process. I'd explain, but no.
Define "usually"? Most people just don't want to be bothered with industry punditry.Your leadership seems to understand the value of such punditry: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212400450. Most of the company and researcher names you dropped below also have a history of understanding basic marketing.
Yeah. I don't work for Brian and never have. This might be bad, but oh well. I never said that I did -- you just assumed. Sorry to all involved.
Doesn't sound like you read it to me,Forrester corporate memberships are a great thing.
Yeah. I learned about that paper from my past. I delete old files that I shouldn't have access to anymore, so I couldn't even tell you what the paper said. Was Gotham Digital Science in there, but Praetorian not? Oh no! I'm so sorry -- I've heard good things about Nathan Sportsman, and certainly I'll have nice things to say about you from now on as well (you did beat me pretty fair and square in this little argument/discussion even though you guessed a whole bunch of things about me wrong. I have to look up to that). Oh and just as a final jab, I hope you keep your CEH skills current. (that's for the mailing-lists enjoyment, btw) Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Evaluating Pen Testers Daniel Kennedy (Apr 12)
- Re: Evaluating Pen Testers Stephen Mullins (Apr 14)
- Re: Evaluating Pen Testers Andre Gironda (Apr 14)
- Re: Evaluating Pen Testers Daniel Kennedy (Apr 14)
- Re: Evaluating Pen Testers Andre Gironda (Apr 15)
- Re: Evaluating Pen Testers Daniel Kennedy (Apr 15)
- Re: Evaluating Pen Testers Andre Gironda (Apr 19)
- Re: Evaluating Pen Testers Nathan Sportsman (Apr 20)
- Re: Evaluating Pen Testers Pete Herzog (Apr 22)
- Re: Evaluating Pen Testers van van (Apr 22)
- Re: Evaluating Pen Testers Daniel Kennedy (Apr 14)