Re: Pentest Letter of Achievement/Certificate

[Mark Teicher <mht3 () earthlink net>]

The dubious part of certification of a network is a "snapshot" in 
time.  At the particular instance in time that a network or 
application can be certified. As in an annual car inspection as 
indicated in the latter part of the post.  This goes for certain 
organization attempting to "tag" their offering as secure during a 
staging area prior to arriving and being installed within an 
enterprise network.  Once IT/Security admins alter a security policy 
or a security rule that could possibly compromise the "security 
tagging" or "security certification" all bets are off.  So if we were 
to return to the car inspection example, a car could pass inspection, 
receive it's car inspection pass sticker, but the inspection pass 
sticker could be compromised as soon as the car pulls away from the 
inspecting garage, if a rock jumps up from the road and breaks the 
headlight.  Now, the car inspection "pass" is compromised.



At 02:27 PM 7/13/2005, Michael Sierchio wrote:
> Tom Van de Wiele wrote:
> > I find the concept of giving someone a certificate for resisting a
> > penetration test very dangerous.  Nothing can guarantee that after the
> > test (especially a blind penetration test) all vulnerabilities have
> > been found and identified.
>
> It's all a matter of what the certificate attests to and how it
> is interpreted.
>
> I see nothing wrong with a statement affirming compliance with
> consensus best practice, or acceptable resistance to the known,
> relevant vulnerabilities on a certain date, etc.
>
> This is by no means a guarantee of "safety" or "security,"  but
> it might be a useful tool in establishing a disciplined approach
> to risk.
>
> Dubious analogy:  my mechanic signs an inspection certificate that
> says that the tire pressure, chain tension, steering, brakes, etc.
> are in good condition on my motorcycle -- he's not promising that
> I won't crash.