Penetration Testing mailing list archives

Re: Pentest Letter of Achievement/Certificate

From: John Kinsella <jlk () thrashyour com>
Date: Wed, 13 Jul 2005 14:46:15 -0700


First off, I guess I read between the lines of blowfish's orig. post -
was trying to provide a seal of approval so to speak, saying that a
given pen test was conducted in a thorough manner by a respectable
source.

Did a quick review of the 2.1 docs, what I was thinking of isn't quite
a letter as you were looking for (that's done in 5 mins with a word
processor) but there's a seal and verbage on page 11 that "certifies"
to a degree what's been done.

What it comes down to, though, is if one follows the manual for the
pentest, and issues a thorough report following the templates - you
should end up with a fairly thick and useful document.  At that point,
putting a signed page with a seal on it at the front should satisfy most
people.

btw, isecom guys - http://www.isecom.org/stamps.htm is dead, altho
linked to in a public document.  tsk, tsk. :)

John

On Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:


Hi John,

I checked and in the current available OSSTMM 2.1 version there is a 
certain 'data sheet'
mentioned in the accreditation section. It says however in the document 
that such data
sheet is only available in vs. 2.5 Which I could not trace back. After 2.1 
the next one set
for release is 3.0. Do you know of such 2.5 version maybe?


Thanks

From: John Kinsella <jlk () thrashyour com>
Reply-To: John Kinsella <jlk () thrashyour com>
To: blowfish 448 <blowfish448 () hotmail com>
CC: pen-test () securityfocus com
Subject: Re: Pentest Letter of Achievement/Certificate
Date: Tue, 12 Jul 2005 19:29:43 -0700

I think http://www.isecom.org/osstmm/ might cover what you're looking
for...

John

On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:

Hi,

any of you know if any 'standards' or accepted guidelines exist for a
letter or certification
of succesfull resistance to Penetration Testing/Vulnerability

Assessment.

Customers often
demand to have a proof delivered by their Penetration Test service

provider

to show to their
partners and customers.

The idea of course is not to disclose sensitive information but to

briefly

describe
the environment tested and how - according to which methodologies and

the

attack vectors
tested for.


Thanks in advance

Current thread:

Pentest Letter of Achievement/Certificate blowfish 448 (Jul 12)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 12)
  - Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
    - Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 13)
    - Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 14)
    - Message not available
    - GPRS Security dinckan (Jul 14)
    - RE: GPRS Security Tonie (Jul 15)
    - Re: GPRS Security Ty Bodell (Jul 15)
    - Re: GPRS Security Johan Mellberg (Jul 16)
    - RE: GPRS Security Sahir Hidayatullah (Jul 19)
    - source code audit manoj kumar (Jul 19)
  - Re: Pentest Letter of Achievement/Certificate R. DuFresne (Jul 13)
    - Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)

(Thread continues...)