Penetration Testing mailing list archives
Re: WebServices Testing
From: "mailing lists" <bofn () irq org>
Date: Fri, 06 Oct 2006 00:24:00 +0200
On Thu, 5 Oct 2006 14:56:25 -0400 "dallas jordan" wrote I am tasked with doing some security testing on a new web services application our client is rolling out. I have never really tested a web service app before
So... they pay you to do something you know hardly anything about? and instead of getting someone who does know how to, you prefer to fumble a bit. doesnt seem to take much to get those 'GCIH, CISSP' certificates. sorry about the flame.. But,,, this is why the infosec bizz has become cowboy territory rather then a serious profession. and it ticks me off a bit, knowing that those who have put in the effort of learning how it all really functions inside, are getting a bad name from the "just sell it first, and then figure out later how to do it" types. the times that we have looked at companies after they where certified secure, by cowboy companies, and found endless amounts of flaws and serious holes, seems unreal, but is fact. but then again, as mentioned before, most companies do not want to hear how bad it really is, and rather pay a little extra to get a 'filtered' report that they can proudly show at their board meetings, and then pray to Loki that no one will find out about the actual state of their infrastructure. to sum this up, i think that the cowboys are responsible for the very low standard of infosec awareness on this planet, and they profit from keeping it so. and again, the joe and betty in the street are the victim, because their privacy sensitive info and often their savings are compromised at some point, as we keep reading in the media. and those reports never say if that company or organisation was certified by any of the so called security companies. maybe its time that each security certification selling company keeps a public list on their website with all the names they sold them to. so we all can see what the certification is really worth, but more to encourage those companies to stop selling hot air. Cheers, big ears. *Anna. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- WebServices Testing dallas jordan (Oct 05)
- Re: WebServices Testing mailing lists (Oct 05)
- RE: WebServices Testing Paul Melson (Oct 06)
- Re: WebServices Testing Jamie Riden (Oct 06)
- Re: WebServices Testing Joseph McCray (Oct 06)
- <Possible follow-ups>
- Re: WebServices Testing revnic (Oct 06)
- Re: WebServices Testing mailing lists (Oct 08)
- Re: WebServices Testing mailing lists (Oct 08)
- RE: WebServices Testing Paul Melson (Oct 09)
- Re: WebServices Testing mailing lists (Oct 05)