Re: Security Audit

["Todd Ransom" <transom () extremelogic com>]

Thanks to everyone who replied to my question.  I'm looking to start a
security consulting practice and this has been very helpful.  It seems like
the bulk of the job is checking for and possibly exploiting known
vulnerabilites.  Although I'm sure I will end up doing plenty of this, I'm
more interested in auditing architecture/implementation and attempting to
exploit currently unknown problems.  Is the market ready for someone to
offer this type of service?  For example, will the market pay for a
consultant to come in and test a web site for cross-site scripting problems?
Use of dangerous server side objects (I'm thinking COM objects in ASP
script)?  Evaluate corporate browser or mail client deployments?  This type
of analysis would have to be far more expensive because it would take
considerable expertise and possibly large amounts of time.  It sounds like a
pen test could sometimes include this type of activity.

thanks,
TR

----- Original Message -----
From: "Bill Pennington" <billp () boarder org>
To: "Todd Ransom" <transom () extremelogic com>
Cc: <pen-test () securityfocus com>
Sent: Thursday, September 06, 2001 11:31 AM
Subject: Re: Security Audit


> Todd Ransom wrote:
>
> > What is the difference between vuln assessment and pen test?



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/