Penetration Testing mailing list archives
RE: Security Audit
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Mon, 17 Sep 2001 19:52:26 +0100
From: Phil Cracknell [mailto:phil () orthus com] <SNIP>Other problem can be also giving away models and methods, because there are manysmartasses that are just lookingafter knowledge to do the job themselfs.We have a methodology and would not hesitate in giving it to our clients,
we
do so regularly, and we also abstract from this a detailed test plan for them. These documents allow for some form of measurement in all of this
and
as a result if a cowboy tries to sell them a $500 remote scan they have something to compare it too.
Great I think the cowboys/salesfolk all need lining up against a wall...
The 'right' sort of client will have already identified that doing the job themselves is not the right approach I would hope, regardless of how smart their ass is.
Nope, I totally disagree. If the company can afford to spend circa $150,000 pa on a _good_ consultant, that consultant will know more about their infrastructure, technologies, software and risks than any "one week wonder". They'll also gauge risk accurately for *that* company, e.g. which is worse - intrusion or DOS ? For (say) a retailer, a small intrusion will cost them a lot less than a total DOS, but for a bank the reverse is likely to be true....for instance. It's nice to have fresh young 'uns that can "walk-the-walk" - if you can't... But frankly it's far better value to get a permanent, 100% security guru to do the work, and give them the responsibility to monitor and enforce a level of security before, before and after infrastructure goes live. Saying that a smart client is never as good as a consultant assumes the cream of the security set (ahem) haven't gone "permie"... ...say, for a quite indecent amount of cash :-) Dom ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: How to discover FW-1 management module or GUI?, (continued)
- Re: How to discover FW-1 management module or GUI? The Crocodile (Sep 16)
- Re: How to discover FW-1 management module or GUI? Penetration Testing (Sep 16)
- Re: Security Audit H Carvey (Sep 12)
- Re: Security Audit R. DuFresne (Sep 12)
- Re: Security Audit H C (Sep 13)
- Re: Security Audit R. DuFresne (Sep 13)
- Re: Security Audit H C (Sep 13)
- Industry Definitions... possible? was Re: Security Audit Don Bailey (Sep 14)
- Re: Security Audit R. DuFresne (Sep 12)
- Re: Security Audit bacano (Sep 16)
- RE: Security Audit Dom De Vitto (Sep 18)
- Re: Security Audit bacano (Sep 17)