Penetration Testing mailing list archives
Re: Pentest Letter of Achievement/Certificate
From: Travis Good <tgood () mindsecurity net>
Date: Wed, 13 Jul 2005 21:17:57 -0700 (PDT)
http://www.hackersafe.comThey even offer a little icon the client can post on their web page that says they are safe! It also tells when the last scans were done.
This is similar to the "we are secure. We use SSL encryption"Alot of people accept this kind of unrealistic request from a client because 1) they dont know any better, 2) are unable to educate their client and wont turn down a gig even when their client is unrealistic
or 3) dont care and just want money. Security audits are not marketing tools. Just my .02 On Wed, 13 Jul 2005, blowfish 448 wrote:
Tom, Ralph,thanks for the input, and I totally agree. Should have been paying more attention to the wording I used. It's not so much providing a certificate of success, here I agree with your arguments, but rather an objective statement of penetration testing has been executed at a certain period in time on infrastructure X at customer Y by company Z. This so they can show to their customer base they take security seriousand have undergone testing.From my experience in the financial market customers and partners - e.g.other banks -of financial organisations asking for such proof is absolutely not so uncommon.ThanksOn 7/12/05, blowfish 448 <blowfish448 () hotmail com> wrote: > Hi, >> any of you know if any 'standards' or accepted guidelines exist for a letter> or certification > of succesfull resistance to Penetration Testing/Vulnerability Assessment. > Customers often> demand to have a proof delivered by their Penetration Test service provider> to show to their > partners and customers. >> The idea of course is not to disclose sensitive information but to briefly> describe > the environment tested and how - according to which methodologies and the > attack vectors > tested for. > > > Thanks in advance > > >
Travis Good, CISSP, IAM
Current thread:
- RE: GPRS Security, (continued)
- RE: GPRS Security Tonie (Jul 15)
- Re: GPRS Security Ty Bodell (Jul 15)
- Re: GPRS Security Johan Mellberg (Jul 16)
- RE: GPRS Security Sahir Hidayatullah (Jul 19)
- source code audit manoj kumar (Jul 19)
- Re: Pentest Letter of Achievement/Certificate R. DuFresne (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Travis Good (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- RE: Pentest Letter of Achievement/Certificate Paul Fields (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Mike Klingler (Jul 15)
- RE: Pentest Letter of Achievement/Certificate Lyal Collins (Jul 15)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Matthew J. Harmon (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Mark Teicher (Jul 13)