Dailydave mailing list archives
Re: Anonimized reply
From: Ben <ben.sapiro () gmail com>
Date: Tue, 24 Aug 2004 12:01:25 -0400
I wasn't going to respond to this in light of the recent Foundstone acquisition mini-flaming, but then reconsidered. (General disclaimer: this is me talking, not the people I work for, so they're not responsible for how quickly I stick my foot in my mouth and such like). I can't speak for our competitors in the Big 4 space, so I won't generalize, but that's not the case for the four letter group I work for. We've got teams globally and all they're made up of is "professionals" - really bright guys and girls that code all night and come up with some very cool code for doing some very serious nuts and bolts testing - people that don't do checklists. Granted, most of them don't publish exploits or appear at Blackhat, but that's the nature of working for a Big 4, most of our "security pro" culture (knowledge sharing, coding etc...) is internalised. Perhaps I'm taking a bit too much umbrage here (and you were probably just trying to make a point about auditors in general and that checklists can be a good thing in certain circumstances) but it's a common misconception that I'd rather not see my colleagues here take on the chin. As to auditors in general relying on other's reports, sure, we do it when the client asks us to, why reinvent the wheel id the original wheel maker did a good job - but even then, one of our "professionals" is involved in making sure the the report the IT auditors are relying on is solid. respectfully Ben On Tue, 24 Aug 2004 11:42:03 +0100, Daniel <deeper () gmail com> wrote:
Actually this was one of the reasons why i went about creating the pentest checklist for OWASP http://www.owasp.org/documentation/testing/application.html Auditors like KPMG/D&T and others dont have people on board who are technical and often rely on reports and other forms of documents from "professionals" The idea behind the checklist was that the auditor could request to see what was done with regards to their web application security review and then make a judgement to see if the company actually did take it seriously or didn't Obviously time will tell if its of any use Daniel On Tue, 24 Aug 2004 06:11:13 -0400, Dave Aitel <dave () immunitysec com> wrote:Mike Bailey(mike.bailey () sunbladesecurity com)@Mon, Aug 23, 2004 at 11:53:36PM -0400:Dave's Direction 2: I think we're already there. Banking for example,If youlook at the 15,000+ banks out there you will find a very smallpercentagethat really want to be secure or even know what insecurities theyhave. Theywant to know the FFIEC is not going to lower their rating (or worselettheir customers know) due to findings that don't meet the assessment criteria the FDIC, OCC and Federal Reserve examiners are looking for.I'msure it will be the same for HIPPA as soon as they get an federallevelaudit division for it. It's my opinion that companies want to knowtheywon't get in trouble more so than protecting themselves and othersfromsecurity incidents.The regulators are in a really bad position right now to determine security insecurities as they are not allowed to do any more than ask questions and review reports. I was shocked to find this out, but they are not allowed to use any tools or perform hands-on validation of any kind. They are just there to review audit reports done by 3rd parties and ask follow up questions. These audits range in scope from port scans, penetration tests, security validation tests, to SAS70 reports. Based on their inability to verify information gathered it would only be from gross negligence that any financial site could be poorly rated by the regulators. -anon _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anonimized reply Dave Aitel (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- more flotsam and jetsam Dave Aitel (Aug 24)
- Message not available
- Re: more flotsam and jetsam Dave Aitel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)