Re: WebServices Testing

["mailing lists" <bofn () irq org>]

*This message was transferred with a trial version of CommuniGate(tm) Pro*

On Fri, 6 Oct 2006 10:27:58 -0400
"Paul Melson" <pmelson () gmail com> wrote:

> -----Original Message-----
> Subject: Re: WebServices Testing
>
> > So...
> > they pay you to do something you know hardly anything about?
>
> I doubt the letter of intent puts it *that* way.  :-)
;-)

> > but then again, as mentioned before,  most companies do not want to hear
> how bad it really is, and 
> > rather pay a little extra to get a 'filtered' report that they can proudly
> show at their board meetings, 
> > and then pray to Loki that no one will find out about the actual state of
> their infrastructure.
>
> You're half right.  I'm sure his client wants a report that says that their
> network, their applications, their financials, and their manhoods are all
> secure.  But I doubt they're hoping nobody finds out the ugly truth about
> their infrastructure because I would wager a guess that they have no idea,
> either.
*humble salute*

correction/adition ,  If/when they find out, they will often not want to know in my
experience, and often make it not appear in their final version of the report.
i've been asked many times to take things out of reports, and just told them "you also
get a digital copy...." {hint}

> > to sum this up,  i think that the cowboys are responsible for the very low
> standard of infosec awareness 
> > on this planet, and they profit from keeping it so.
>
> I disagree.  Customers that demand cheap, "teach-to-the-test" audits are
> what make so-called cowboy project work possible.  

do you think one should punish junkies rather then dealers ?
or... lock out the dealers and try to ensure no dope is required, by guiding the
potential junkies away from it.
;-P



 
> In this case, I think it's unfair to impeach Dallas' skills or ethics.
> Everybody has to learn some time, and let's not pretend that we've all been
> auditing web services since day one.
nope.. 1st learned how to program from scratch such a service, on a few platforms.

> I'll be the first to say it's not
> something I've ever done.  At least he knows what he doesn't know and is
> asking for help now.  Believe me when I tell you there are plenty of
> consultants that would've just pointed Nessus at it and given them a clean
> report or told them that they need to block ICMP timestamp requests.
:-))

 
> I do, however, think it's crappy that his employer has put Dallas and their
> client in a position to succeed poorly or fail well.  If the client does
> their homework and brings all of their resources to the table to assist in
> the audit and remediation process, poor Dallas will be found out as having
> no experience in this arena.  If they don't the audit may go off without
> incident, but the value and depth may be lacking also.  
i think that the lad wants to run before he can walk
and should tag along with an experienced person before walking it alone.


> But at least the important objective - the account manager making 7%
> commission on a five-figure audit engagement - will be achieved.  Not that
> I'm jaded or anything.
*grin*

> > and again, the joe and betty in the street are the victim, because their
> privacy sensitive info and 
> > often their savings are compromised at some point, as we keep reading in
> the media. 
>
> The botherders were going to do it anyway.  At least now there will be a
> class action lawsuit that they can get in on. :-)
:)


> PaulM

*Anna

-- 
"The power of accurate observation is frequently called cynicism by those who don't have
it."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------