Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - )

[coderman <coderman () gmail com>]

I've edited this document to remove ambiguous and self aggrandizing language.


On Dec 20, 2007 4:19 PM, SecReview <secreview () hushmail com> wrote:
> 1.) What are your qualifications for reviewing these companies?
>
> We are a team of security professionals that have been performing a
> wide array of penetration tests, vulnerability assessments, web
> application security services etc.

"We've downloaded backtrack and eEye warez. Can also run nmap."


> One of our team members has
> founded two different security companies both of which have been
> very successful and have offered high quality services.

"One of our members is n3td3v.  A blog counts as a business if it
hosts google ads."


> Yes we have
> all sorts of pretty little certifications, but those don't really
> matter.

"We have at least two of something in in this list: CPA, CISSP, CISM,
CISA, CCNA, CCSE, CCSA, GCIA,
 GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ"


> We review companies based on what we are given by the companies and
> based on what we can find on the internet, with Google, etc. Our
> reviews are only as good as what we can find.

"Our reviews can only detect obvious crap.  Any positive mention is
meaningless."


> That is why each
> review is open for debate and why we form an opinion that can be
> changed. To date, we've had no complaints about our reviews and for
> the most part according to readers have been spot on.

"Complaints?  They don't exist unless we say so!"


> We do have a scoring system but are still refining it. We are
> trying to find a way to set more clear boundaries between scores so
> that scores are based more on fact than opinion.

"We are having trouble defining objective measures for useless
information.  For some reason this results in useless metrics; we are
confused, but working diligently on this problem."


> Right now, they
> are mostly based on opinion and what we as professionals consider
> quality services.

"For now we use the 'ooh shiny!' method, and don't forget, we can
still detect obvious crap. (and save you 2.7 minutes surfing that site
yourself. oh wait, real security professionals don't find audit teams
from google ads.  nevermind!)"


> We are for all intents and purposes akin to a prospective client
> looking for an assessment. What we see during a review is what a
> prospect would see if they took the time to really dig in and
> analyze security companies. Our opinions are non-biased, all
> companies start with an A.

"We are akin to a prospective client cold calling some company found
on the web and asking for sample reports.  This saves you the time of
asking for sample reports to see if they really have them.  If you
were to really dig in, and read these reports, you might discover the
obviously crap companies as effectively as we do. (oh wait, real
security professionals don't find audit teams from google ads.
nevermind!)"

---

now for my review: Sec Review Sucks sucks!  while sec review is not as
useful and informative as may be desired, they can still flag the
obviously crap for you, and save you 2.7 minutes of surf time better
spent on pr0n.

Sec Review: D-
Sec Review Sucks: F

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/