Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] How to "break into" the Pen-Testing field

From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 12 Sep 2000 09:24:42 -0700
Bennett,

Thank you for your view point.  Some high end consulting services state as
one of the differiantors that they utilize Industry Best Practices when the
are hired for engagements especially penetration testing.  If you are
stating that it is hard to define Industry Best Practices since InfoSec is
a moving target and no two firms or individuals will run the available
tools the same, so how does an organization then pick a reputable firm to
hire?  And then how does one validate their findings then??

/mark

At 04:53 PM 9/11/00 -0400, Bennett Todd wrote:

2000-09-11-13:34:03 Frasnelli, Dan:
> > But what really is Industry Best Practices.
>
> I imagine SANS or similar group has a list of recommended practices.

I've completely abandoned SANS; they seem to be a pack of utter,
incurable, incompetant, unprofessional morons. They specifically
endorse and recommend sendmail and BIND, and refuse to listen to
discussions critical of these recommendations. That's enough, as far
as I'm concerned; anything that has the SANS name on it can be
ignored.

As of this instant, the most vocal and active group I know of
promoting good security practice is securityfocus.com, thanks to the
mailing lists they host. If I had to hunt for other organizations I
respect at this point, it'd get a lot harder; the other good ones
have either gone bad, or gone quiet, as far as I can tell. The next
closest I know of would be Counterpane Systems, but that focuses on
crypto rather than on security in general.

As for the topic behind your mention of Industry Best Practices, I
don't advocate application of that phrase in the field of internet
security; this field is too new, and is evolving too rapidly, for
there to be any accepted Best Practices. Contrast with e.g. finance,
where for e.g. financial accounting reporting requirements there are
Industry Best Practices which evolve pretty rapidly, it takes a
professional to stay on top of them --- but accounting is arguably a
5000+- year old field.

With the field completely revolving, all old truths being replaced
by a completely new set, in just a few years, there's no time to
begin to  establish Best Practice.

-Bennett
Previous By Date Next
Previous By Thread Next

Current thread: