Re: Pentest Letter of Achievement/Certificate

["Matthew J. Harmon" <matthew.j.harmon () quorumsecurity com>]

On Wed, 13 Jul 2005, Travis Good wrote:

[snip]

> Security audits are not marketing tools.

http://www.cafepress.com/hoganstore/617378
http://www.cafepress.com/ph4tl3wt/332961

Got FUD?

-Matthew

Matthew J. Harmon
Principal Security Consultant
Quorum Security, Inc.
matthew.j.harmon () quorumsecurity com
+1 612.987.0115

[This was inline posting, not top posting]

On Wed, 13 Jul 2005, blowfish 448 wrote:

> Tom, Ralph,
>
> thanks for the input, and I totally agree. Should have been paying more
> attention
> to the wording I used. It's not so much providing a certificate of success,
> here I
> agree with your arguments, but rather an objective statement of penetration
> testing
> has been executed at a certain period in time on infrastructure X at customer
> Y by
> company Z. This so they can show to their customer base they take security
> serious
> and have undergone testing.
>
> > From my experience in the financial market customers and partners - e.g. 
> other banks -
> of financial organisations asking for such proof is absolutely not so
> uncommon.
>
> Thanks
>
> > On 7/12/05, blowfish 448 <blowfish448 () hotmail com> wrote:
> > > Hi,
> > >
> > > any of you know if any 'standards' or accepted guidelines exist for a
> > letter
> > > or certification
> > > of succesfull resistance to Penetration Testing/Vulnerability Assessment.
> > > Customers often
> > > demand to have a proof delivered by their Penetration Test service
> > provider
> > > to show to their
> > > partners and customers.
> > >
> > > The idea of course is not to disclose sensitive information but to briefly
> > > describe
> > > the environment tested and how - according to which methodologies and the
> > > attack vectors
> > > tested for.
> > >
> > >
> > > Thanks in advance
> > >
> > >
> > >

Travis Good, CISSP, IAM