RE: Security Audit

["Ogle Ron (Rennes)" <OgleR () thmulti com>]

Then maybe someone should define what the components are for a standard
penetration test, a vulnerability assessment, and a security audit.  This
document then should be published as a security community approved standard
as either an RFC under the IETF or through some other recognized
organization.

My .02
Ron Ogle
Thomson multimedia
Rennes, France

> -----Original Message-----
> From: R. DuFresne [mailto:dufresne () sysinfo com]
> Sent: Wednesday, September 05, 2001 9:12 PM
> To: Todd Ransom
> Cc: pen-test () securityfocus com
> Subject: Re: Security Audit
>
>
>
> Anyone claiming that their pen test, vuln assessment, or 
> security audit
> consists merely of running nessus and or nmap and producing a 
> reporrt and
> final results is a charleton, and does the security industry a
> dis-service.  Yet, I have seen, in practice, both outside consultants,
> hired guns from the outside and supposedly 'trained' 
> professionls <CISSP!> 
> within the corporate sector do merely this and stamp 
> "certified secure"
> across organizations.  A "test, assessment, or audit"  are 
> more akin to
> remodeling, then ne home building and remodeling, having done 
> lots of it
> over time, I can safely state, is -=dirty work=-.  When you rip open a
> wall, one is sometimes amazed, as well as disenheartened at 
> what they find
> behind the sheetrock and plaster.
>
> Thanks,
>
> Ron DuFresne 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/