Re: Pentest Letter of Achievement/Certificate

[John Kinsella <jlk () thrashyour com>]

Completely concur, but for some people ya just gotta put one of these on
there:

http://tinyurl.com/cqjzh

Kidding aside, I think the OSSTMM is a good reference for alot of
people, and as a client I think I'd feel pretty confident that a good
job had been done if this methodology had been done with gusto by a
pentester I hired.  The seal/letter's basically a gold star for those
who know, and a blinky light for the management. (ok I rank it
significantly higher than the MS NT thing, but ya get the idea,
hopefully)

John

On Wed, Jul 13, 2005 at 05:26:20PM -0400, R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Isn;t the final report pentesters report what is being asked for here?(0) 
> Or are companies really hung up on and seeking gold stars to post in public 
> areas and at the bottom of stationary?  Kinda like the certifications that 
> M$ got for NT back in the late 90's I guess, meaningless in any env other 
> then the single system they had tested....
>
>
> Thanks,
>
> Ron DuFresne
>
> (0) in most cases that pentesters report is likely to be backed with the 
> corp documentation showing how they mitigated the issues found during the 
> pentest.  Afterall, few companeis should ever comeout of a thourough 
> penttest unscathed.  So they document how they corrected what was 
> discerovered, and perhaps have another outside party verify the 
> 'corrections'.  but gold starts and report cards, or neat little 
> certificates in frames?  <shakes his head>
>
>
>
>
> On Tue, 12 Jul 2005, John Kinsella wrote:
>
> > I think http://www.isecom.org/osstmm/ might cover what you're looking
> > for...
> >
> > John
> >
> > On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
> > > Hi,
> > >
> > > any of you know if any 'standards' or accepted guidelines exist for a
> > > letter or certification
> > > of succesfull resistance to Penetration Testing/Vulnerability Assessment.
> > > Customers often
> > > demand to have a proof delivered by their Penetration Test service 
> > > provider
> > > to show to their
> > > partners and customers.
> > >
> > > The idea of course is not to disclose sensitive information but to briefly
> > > describe
> > > the environment tested and how - according to which methodologies and the
> > > attack vectors
> > > tested for.
> > >
> > >
> > > Thanks in advance
>
> - -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
>                 -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFC1Yb/st+vzJSwZikRAilGAKDCOxyj3Fox77OhX21BgmkC7I1r3QCgxPYB
> 6R+l1D8nti84/RaOEfoUE5c=
> =aHj2
> -----END PGP SIGNATURE-----