Full Disclosure mailing list archives
Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 12:30:43 -0500
You obviously haven't a clue as to what you are talking about. Our readers are customers that have used the service of the vendors before. To date, they agree that our reviews have been accurate and very fair. In conjunction with that, our reviews are usually the product of analysis done against materials provided by the vendor, including sample reports. So, yes we do see the quality of their end deliverable, not for all but for many. On Thu, 20 Dec 2007 10:09:03 -0500 Kurt Dillard <kurtdillard () msn com> wrote:
Because its absurd to write a review for a service without actually experiencing the service. The original poster's messages have only had entertainment value, they've had no value from an information security perspective. If you'd like to provide a link to your MSN profile and facebook pages I'll write up a resume for you. Does that sound like a good idea? From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Epic Sent: Thursday, December 20, 2007 11:56 AM To: c0redump Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + ) Isn't ANY review subjective to opinion? I do not understand the basis of this flame. It appears to me that a lot of the reviews on this site offer some great insight into the companies being presented. Granted it is an opinion, but that is what a blog is isn't it? On 12/20/07, c0redump <c0redump () ackers org uk> wrote: Exactly. Your 'grading' is based on your personal opinion. Do us all a favour and get a proper job. ----- Original Message ----- From: "guiness.stout" <guinness.stout () gmail com> To: <full-disclosure () lists grok org uk > Sent: Thursday, December 20, 2007 2:05 PM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + )I'm not really clear on how you are grading these companies.I've hadno personal experience with them but I don't decide a companies quality of work simply by their website and what information Igetfrom some customer support person. These "grades" seempointless andfrankly unfounded. You should reword your grading system tospecifythe ease of use of their websites and not the service theyprovide.Especially if you haven't ordered any services from them. I'mnotdefending anyone here just pointing out some flaws in this"grading."On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com>wrote:One of our readers made a request that we review Cybertrust ("http://www.cybertrust.com"). Cybertrust was recently acquiredbyVerizon and as a result this review was a bit more complicated andrequired a lotmore digging to complete (In fact its now Cybertrust andNetsec). Neverthe less, we managed to dig information specific to Cybertrust outof Verizonrepresentatives. We would tell you that we used the website for information collection, but in all reality the website was useless. Notonly was ithorribly written and full of marketing fluff, but the serviceswere notclearly defined. As an example, when you view the Cybertrust services in theirdrop downmenu you are presented with the following service offerings:ApplicationSecurity, Assessments, Certification, Compliance/Governance,Consulting,Enterprise Security, Identity Management Investigative Response /Forensics, Managed Security Services, Partner Security Program SecurityManagementProgram, and SSL Certificates. The first thing you think is"what thehell?" the second is "ok so they offer 12 services". Well as you dig into each service you quickly find out thatthey do notoffer 12 services, but instead they have 12 links to 12different pagesfull of marketing fluff. As you read each of the pages in an attemptto wrapyour mind around what they are offering as individually packagedservicesyou're left with more questions than answers. So again, what the hell? Here's an example. Their "Application Security" service pagedoes notcontain a description about a Web Application Security service.In fact,it doesn't even contain a description about a SystemSoftware/Applicationsecurity service. Instead it contains a super high level, supervague andfluffy description that covers a really general idea of"Application"security services. When you really read into it you find outthat theirApplication Security service should be broken down intomultipledifferent defined service offerings. Even more frustrating is that their Application Securityservice is aconsulting service and that they have a separate serviceoffering calledConsulting. When you read the description for Consulting, it isalsovague and mostly useless, but does cover the "potential" forApplicationSecurity. So, trying to learn anything about Cybertrust from their webpage is liketrying to pull teeth out of a possessed chicken. We decidedthat we wouldmove on and call Cybertrust to see what we could get out ofthem with aconversation. That proved to be a real pain in the ass too astheirwebsite doesn't list any telephone numbers. We ended up calling verizonand aftertalking to 4 people we finally found a Cybertrustrepresentative.At last, a human being that could provide us with usefulinformation andanswers to our questions about their services. We did receiveabout 2mbof materials from our contact at Cybertrust, but the materialswere allmarketing fluff, totally useless. That being said, ourconversation withthe representative gave us a very clear understanding of howCybertrustdelivers there services. In all honesty, we were not all that impressed. Cybertrust does perform their own Vulnerability Research andDevelopment(or so we were told) under the umbrella of ICSAlabs which they own.Usuallywe'd say that this is great because that research is often used toaugmentservices and enhance overall service quality. With respect toCybertrust,we couldn't find out what they were doing with their research.They justtold us that they don't release advisories and then refused to tellus whatthey did with the research. When we asked them about their services and testingmethodologies, wewere first told that they couldn't discuss that. We were told thattheirmethodologies were confidential. But after a bit of SocialEngineeringand sweet talking we were able to get more information... As it turns out, the majority of the Cybertrust services relyon whatthey say are proprietary automated scanners which were developed in-house.Their methodology is to run the automated scanners against a specifictarget orset of targets, and then to pass the results to a seasonedprofessional.That professional then verifies the results via manual testingandproduces a report that contains the vetted results. This methodology doesn't really offer any depth and doesn't domuch toraise the proverbial security bar. In fact, it is only slightlybetter thanrunning a Qualys scan, changing the wording of the report, anddeliveringthat. Quality methodologies should contain no more than 20%automatedtesting and no less than 80% manual testing. Vulnerabilitydiscoveryshould be done via manual testing, not just via automated testing. In defense of Cybertrust, they did say that they would test inaccordancewith the customers requirements. They also did say that if thecustomerwanted 100% manual testing that they would do it. If they want100%automated "rubber stamp of approval" testing they would do thattoo.Saying it is a lot different than doing it though and we weren'timpressed withtheir standard/default testing methodology as previouslymentioned.It is important to note that Cybertrust is also a full servicesecurityprovider. They offer a wide range of services from supportingsecureproduct development services, to security testing, and even forensicservices.With that said, their services do not seem to be anything special.In fact,they seem to be just about average short of their horrible websiteandoverwhelming marketing fluff. It is our recommendation that you choose a different providerif you arelooking for well defined, high quality services. Cybertrust iscloaked ina thick layer of marketing fluff and frankly doesn't seem to bevery easyto work with. That being said, they were also not easy to review.If youdisagree with this post or have worked with Cybertrust in thepast, thenplease leave us a comment. We're going to give Cybertrust a "C"but ifyou can convince us that they deserve a different grade then we'llrevise ouropinion. Thanks for reading. -- Posted By secreview to Professional IT Security Providers -Exposed at12/19/2007 07:32:00 PM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Regards, The Secreview Team http://secreview.blogspot.com Professional IT Security Service Providers - Exposed -- Save big on a huge selection of discount auto parts. Click now! http://tagline.hushmail.com/fc/Ioyw6h4eju22eWmoaCiKwN45shQSnKTlUNjpqaB5BdhTWjvQUzgFfS/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + ) SecReview (Dec 20)
- <Possible follow-ups>
- Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + ) SecReview (Dec 20)