Full Disclosure mailing list archives
Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 19:19:16 -0500
1.) What are your qualifications for reviewing these companies? We are a team of security professionals that have been performing a wide array of penetration tests, vulnerability assessments, web application security services etc. One of our team members has founded two different security companies both of which have been very successful and have offered high quality services. Yes we have all sorts of pretty little certifications, but those don't really matter. 2.) Your criteria for review is clearly flawed. Reviewing marketing material, websites, etc. is just ridiculous. Typically these are not created by the security team itself, but instead the marketing department for a company. You only just mentioned that you started reviewing sample reports, and that not all companies are willing to provide these. How could you possibly review a company WITHOUT a sample report at the minimum? We review companies based on what we are given by the companies and based on what we can find on the internet, with Google, etc. Our reviews are only as good as what we can find. That is why each review is open for debate and why we form an opinion that can be changed. To date, we've had no complaints about our reviews and for the most part according to readers have been spot on. 3.) What is your scoring system? Do you even have one? We do have a scoring system but are still refining it. We are trying to find a way to set more clear boundaries between scores so that scores are based more on fact than opinion. Right now, they are mostly based on opinion and what we as professionals consider quality services. 4.) If company A does not submit themselves for review, and therefore will not provide you with the information you need to review them, do they get a lower score? No, if a company does not submit themselves for review they do not get a lower score. In fact, most companies do not submit themselves for review but still provide us for sample reports when we call them. Sample reports help out for obvious reasons, but then again so do all of the other aspects of our research. We are for all intents and purposes akin to a prospective client looking for an assessment. What we see during a review is what a prospect would see if they took the time to really dig in and analyze security companies. Our opinions are non-biased, all companies start with an A. Did that help? P.s. Next time you might want to base your opinion off of the blog instead of reading just a few emails. Then at least you could offer useful critical insight into what we are doing. Regards, The Secreview Team http://secreview.blogspot.com -- Best Weight Loss Program - Click Here! http://tagline.hushmail.com/fc/Ioyw6h4dU2YRhFxboTp0C9MN1uLmvGhSJqHSX1es3HoB97ud2AFZVG/ Professional IT Security Service Providers - Exposed _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) SecReview (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) coderman (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Sec Review Sucks (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Sec Review Sucks (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Paul Melson (Dec 21)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) coderman (Dec 20)