Penetration Testing mailing list archives
Re: Pentest Letter of Achievement/Certificate
From: Mark Teicher <mht3 () earthlink net>
Date: Wed, 13 Jul 2005 21:33:54 -0400
The dubious part of certification of a network is a "snapshot" in time. At the particular instance in time that a network or application can be certified. As in an annual car inspection as indicated in the latter part of the post. This goes for certain organization attempting to "tag" their offering as secure during a staging area prior to arriving and being installed within an enterprise network. Once IT/Security admins alter a security policy or a security rule that could possibly compromise the "security tagging" or "security certification" all bets are off. So if we were to return to the car inspection example, a car could pass inspection, receive it's car inspection pass sticker, but the inspection pass sticker could be compromised as soon as the car pulls away from the inspecting garage, if a rock jumps up from the road and breaks the headlight. Now, the car inspection "pass" is compromised.
At 02:27 PM 7/13/2005, Michael Sierchio wrote:
Tom Van de Wiele wrote:I find the concept of giving someone a certificate for resisting a penetration test very dangerous. Nothing can guarantee that after the test (especially a blind penetration test) all vulnerabilities have been found and identified.It's all a matter of what the certificate attests to and how it is interpreted. I see nothing wrong with a statement affirming compliance with consensus best practice, or acceptable resistance to the known, relevant vulnerabilities on a certain date, etc. This is by no means a guarantee of "safety" or "security," but it might be a useful tool in establishing a disciplined approach to risk. Dubious analogy: my mechanic signs an inspection certificate that says that the tire pressure, chain tension, steering, brakes, etc. are in good condition on my motorcycle -- he's not promising that I won't crash.
Current thread:
- Re: Pentest Letter of Achievement/Certificate, (continued)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Travis Good (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- RE: Pentest Letter of Achievement/Certificate Paul Fields (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Mike Klingler (Jul 15)
- RE: Pentest Letter of Achievement/Certificate Lyal Collins (Jul 15)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Matthew J. Harmon (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Mark Teicher (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Michael Sierchio (Jul 13)