Penetration Testing mailing list archives
RE: Pentest Letter of Achievement/Certificate
From: "Paul Fields" <Infosec () plainenglishsecurity com>
Date: Thu, 14 Jul 2005 15:18:59 -0400
Blowfish's original question;
any of you know if any 'standards' or accepted guidelines exist for a letter or certification of succesfull resistance to Penetration Testing
As others have pointed out make a letter, name your methodology, sign it and date it. OSSTMM is one, others use NSA's INFOSEC Assessment Methodology
Customers often demand to have a proof delivered by their Penetration Test service provider to show to their partners and customers.
Same as Y2K compliance was asked for by partners/customers, and as of LAST MONTH security standards compliance are being asked of anyone who has a major credit card merchant account. Payment Card Industry data security standards specifically ask for quarterly vulnerability scans and annual pen testing. Gramm-Leach-Bliley Act also asks for periodic testing of systems. Now that they ask for it, how do you prove what you've done? One of the reasons we use repeatable methodologies in audits is the assumption that someone else using the same knowledge, tools, and techniques could easily come up with the same results. Travis' Response;
Alot of people accept this kind of unrealistic request from a client because 1) they dont know any better
If they are in certain industries their client can't do business without something that shows they pen test their systems.
2) are unable to educate their client and wont turn down a gig even when their client is unrealistic
Maybe this should be laid out clearly when you define the engagement, if the customer needs the test done to meet a regulatory or other requirement, then one of the things you should establish is whether or not your testing fulfils their obligation. If the technical requirements for their industry haven't been defined, use the best methodology you have, document the test, and if next year somebody comes out with detailed technical requirements use them on the next audit.
Security audits are not marketing tools.
Oddly enough I don't think anyone here said that they were, but they are becoming a cost of doing business, and minimum standard of due care. Paul Fields
Current thread:
- Re: GPRS Security, (continued)
- Re: GPRS Security Johan Mellberg (Jul 16)
- RE: GPRS Security Sahir Hidayatullah (Jul 19)
- source code audit manoj kumar (Jul 19)
- Re: Pentest Letter of Achievement/Certificate R. DuFresne (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Tom Van de Wiele (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Travis Good (Jul 13)
- Re: Pentest Letter of Achievement/Certificate John Kinsella (Jul 14)
- RE: Pentest Letter of Achievement/Certificate Paul Fields (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Mike Klingler (Jul 15)
- RE: Pentest Letter of Achievement/Certificate Lyal Collins (Jul 15)
- Re: Pentest Letter of Achievement/Certificate blowfish 448 (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Matthew J. Harmon (Jul 14)
- Re: Pentest Letter of Achievement/Certificate Mark Teicher (Jul 13)
- Re: Pentest Letter of Achievement/Certificate Michael Sierchio (Jul 13)