Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pentest Letter of Achievement/Certificate

From: Tom Van de Wiele <tom.vandewiele () gmail com>
Date: Wed, 13 Jul 2005 09:22:23 +0200
I find the concept of giving someone a certificate for resisting a
penetration test very dangerous.  Nothing can guarantee that after the
test (especially a blind penetration test) all vulnerabilities have
been found and identified.  What value does your certificate have if
another company comes by and finds one more hole?  Then you issued a
certificate that will only endanger the name and reputation of your
company.   What is the value then?  Because of this, big companies
will always have different partners when it comes to the security
testing of their infrastructure.

my 2 cents

Tom



--
Tom Van de Wiele, CISSP
Security Engineer

UNISKILL nv
http://www.uniskill.com
tom.van.de.wiele {A} uniskill.com



On 7/12/05, blowfish 448 <blowfish448 () hotmail com> wrote:

Hi,

any of you know if any 'standards' or accepted guidelines exist for a letter
or certification
of succesfull resistance to Penetration Testing/Vulnerability Assessment.
Customers often
demand to have a proof delivered by their Penetration Test service provider
to show to their
partners and customers.

The idea of course is not to disclose sensitive information but to briefly
describe
the environment tested and how - according to which methodologies and the
attack vectors
tested for.


Thanks in advance
Previous By Date Next
Previous By Thread Next

Current thread: