Firewall Wizards mailing list archives
RE: Penetration Tests
From: Gary Crumrine <gcrum () us-state gov>
Date: Mon, 29 Sep 1997 10:58:58 -0400
I have been reading this thread with enthusiasm since it started. I agree mostly with everything that has been said, and what I disagree on is not worth mentioning, since everyone's experiences are different. What I woul slike to throw out is another thought that is in part related, but takes this one step farther. I have noticed, that for the most part, everyone who is trying to muscle in to the security market today seems to be zeroing in on the penetration end of the spectrum. This to me seems to be the worst place to start out. I will admit that it is quick profit get in and get out type of work, but in reality, it just doesn't fit. It gives you a sense of security, but we all know that it is in the art of interpretation of the results that the real science of security expertise begins. Some of our brethren may not be doing us a favor by this tactic, and may in the end harm our industry's credability. I believe, that if you truely want to have the maximum e ffect on the outcome of a customer's threat management program, as security experts, we need to be involved from the beginning, doing the risk analysis, looking at business practices and verifying services verses a true business need, helping the customer develop a comprehensive, but more importantly an enforceble security policy prior to recommending the flavor of the month guard device. This process builds a relationship with the customer that if done correctly, will result in follow on work etc... Read that increased profits... Remember, it is not the box that is important (Whoa, settle down resellers) it is the program that fails, or succeeds. The customer is the one who will ultimately win or lose in the end. Wouldn't you want to employ the services of someone or an entity that has a stake in the outcome? Sure, you can go to a third party to verify your work, I even recommend it, but do not think that the fast profit generated by the big guns is by any means the only option. It has been a thrill to watch the big accounting firms bidding for every so called expert and also watching the lemming effect on the industry. Good, bad or ugly, they are making a difference. Thoughts? Comments? Flames? Gary
Current thread:
- Policy ? (was RE: Penetration Tests), (continued)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Policy ? (was RE: Penetration Tests) Edward Cracknell (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Bennett Todd (Sep 29)
- Re: Policy ? (was RE: Penetration Tests) Paul D. Robertson (Sep 30)
- Policy ? (was RE: Penetration Tests) Capt Jim Bailey - SSG/SINS - DSN 596-6106 (Sep 26)
- Re: Penetration Tests Darren Reed (Sep 26)
- Re[2]: Penetration Tests Edward Cracknell (Sep 26)
- Re: Penetration Tests -= ArkanoiD =- (Sep 26)
- Re: Penetration Tests Chuck Kenyon (Sep 26)
- Re: Penetration tests Bill Kennedy (Sep 26)
- Re[2]: Penetration Tests Frank Willoughby (Sep 29)
- RE: Penetration Tests Gary Crumrine (Sep 29)
- RE: Penetration Tests Andreas Siegert (Sep 30)