Re: Pentest Letter of Achievement/Certificate

[Tom Van de Wiele <tom.vandewiele () gmail com>]

Usually, a detailled report is created in two version by the company
that does the pentest.  One version is the executive report which
states the conclussions and recommendations, one is the detailed
technical report of what was tested and why.  I think this served as
enough proof for the customer, no?

Tom

On 7/13/05, blowfish 448 <blowfish448 () hotmail com> wrote:
> Tom, Ralph,
>
> thanks for the input, and I totally agree. Should have been paying more
> attention
> to the wording I used. It's not so much providing a certificate of success,
> here I
> agree with your arguments, but rather an objective statement of penetration
> testing
> has been executed at a certain period in time on infrastructure X at
> customer Y by
> company Z. This so they can show to their customer base they take security
> serious
> and have undergone testing.
>
> From my experience in the financial market customers and partners - e.g.
> other banks -
> of financial organisations asking for such proof is absolutely not so
> uncommon.
>
> Thanks
>
> > On 7/12/05, blowfish 448 <blowfish448 () hotmail com> wrote:
> > > Hi,
> > >
> > > any of you know if any 'standards' or accepted guidelines exist for a
> > letter
> > > or certification
> > > of succesfull resistance to Penetration Testing/Vulnerability
> > Assessment.
> > > Customers often
> > > demand to have a proof delivered by their Penetration Test service
> > provider
> > > to show to their
> > > partners and customers.
> > >
> > > The idea of course is not to disclose sensitive information but to
> > briefly
> > > describe
> > > the environment tested and how - according to which methodologies and
> > the
> > > attack vectors
> > > tested for.
> > >
> > >
> > > Thanks in advance