Full Disclosure mailing list archives
Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - )
From: coderman <coderman () gmail com>
Date: Thu, 20 Dec 2007 16:49:30 -0800
I've edited this document to remove ambiguous and self aggrandizing language. On Dec 20, 2007 4:19 PM, SecReview <secreview () hushmail com> wrote:
1.) What are your qualifications for reviewing these companies? We are a team of security professionals that have been performing a wide array of penetration tests, vulnerability assessments, web application security services etc.
"We've downloaded backtrack and eEye warez. Can also run nmap."
One of our team members has founded two different security companies both of which have been very successful and have offered high quality services.
"One of our members is n3td3v. A blog counts as a business if it hosts google ads."
Yes we have all sorts of pretty little certifications, but those don't really matter.
"We have at least two of something in in this list: CPA, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GCIA, GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ"
We review companies based on what we are given by the companies and based on what we can find on the internet, with Google, etc. Our reviews are only as good as what we can find.
"Our reviews can only detect obvious crap. Any positive mention is meaningless."
That is why each review is open for debate and why we form an opinion that can be changed. To date, we've had no complaints about our reviews and for the most part according to readers have been spot on.
"Complaints? They don't exist unless we say so!"
We do have a scoring system but are still refining it. We are trying to find a way to set more clear boundaries between scores so that scores are based more on fact than opinion.
"We are having trouble defining objective measures for useless information. For some reason this results in useless metrics; we are confused, but working diligently on this problem."
Right now, they are mostly based on opinion and what we as professionals consider quality services.
"For now we use the 'ooh shiny!' method, and don't forget, we can still detect obvious crap. (and save you 2.7 minutes surfing that site yourself. oh wait, real security professionals don't find audit teams from google ads. nevermind!)"
We are for all intents and purposes akin to a prospective client looking for an assessment. What we see during a review is what a prospect would see if they took the time to really dig in and analyze security companies. Our opinions are non-biased, all companies start with an A.
"We are akin to a prospective client cold calling some company found on the web and asking for sample reports. This saves you the time of asking for sample reports to see if they really have them. If you were to really dig in, and read these reports, you might discover the obviously crap companies as effectively as we do. (oh wait, real security professionals don't find audit teams from google ads. nevermind!)" --- now for my review: Sec Review Sucks sucks! while sec review is not as useful and informative as may be desired, they can still flag the obviously crap for you, and save you 2.7 minutes of surf time better spent on pr0n. Sec Review: D- Sec Review Sucks: F _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) SecReview (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) coderman (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Sec Review Sucks (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Sec Review Sucks (Dec 20)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) Paul Melson (Dec 21)
- Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) coderman (Dec 20)