Penetration Testing mailing list archives
Re: Pentest Letter of Achievement/Certificate
From: John Kinsella <jlk () thrashyour com>
Date: Wed, 13 Jul 2005 14:46:15 -0700
First off, I guess I read between the lines of blowfish's orig. post - was trying to provide a seal of approval so to speak, saying that a given pen test was conducted in a thorough manner by a respectable source. Did a quick review of the 2.1 docs, what I was thinking of isn't quite a letter as you were looking for (that's done in 5 mins with a word processor) but there's a seal and verbage on page 11 that "certifies" to a degree what's been done. What it comes down to, though, is if one follows the manual for the pentest, and issues a thorough report following the templates - you should end up with a fairly thick and useful document. At that point, putting a signed page with a seal on it at the front should satisfy most people. btw, isecom guys - http://www.isecom.org/stamps.htm is dead, altho linked to in a public document. tsk, tsk. :) John On Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:
Hi John, I checked and in the current available OSSTMM 2.1 version there is a certain 'data sheet' mentioned in the accreditation section. It says however in the document that such data sheet is only available in vs. 2.5 Which I could not trace back. After 2.1 the next one set for release is 3.0. Do you know of such 2.5 version maybe? ThanksFrom: John Kinsella <jlk () thrashyour com> Reply-To: John Kinsella <jlk () thrashyour com> To: blowfish 448 <blowfish448 () hotmail com> CC: pen-test () securityfocus com Subject: Re: Pentest Letter of Achievement/Certificate Date: Tue, 12 Jul 2005 19:29:43 -0700 I think http://www.isecom.org/osstmm/ might cover what you're looking for... John On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:Hi, any of you know if any 'standards' or accepted guidelines exist for a letter or certification of succesfull resistance to Penetration Testing/VulnerabilityAssessment.Customers often demand to have a proof delivered by their Penetration Test serviceproviderto show to their partners and customers. The idea of course is not to disclose sensitive information but tobrieflydescribe the environment tested and how - according to which methodologies andtheattack vectors tested for. Thanks in advance
Current thread:
- Pentest Letter of Achievement/Certificate blowfish 448 (Jul 12)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 12)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 13)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 14)
- Message not available
- GPRS Security dinckan (Jul 14)
- RE: GPRS Security Tonie (Jul 15)
- Re: GPRS Security Ty Bodell (Jul 15)
- Re: GPRS Security Johan Mellberg (Jul 16)
- RE: GPRS Security Sahir Hidayatullah (Jul 19)
- source code audit manoj kumar (Jul 19)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 12)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)