Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: My Frustrations

From: security curmudgeon <jericho () attrition org>
Date: Thu, 18 Dec 2008 20:29:42 +0000 (UTC)


On Thu, 18 Dec 2008, Jamie Riden wrote:

: However, just running an automated tool such as nessus/nmap/whatever and 
: dumping the results into a report is not nearly good enough - yes, I 
: have seen this in a commercial pen-test report. Ugh.

This is the down-side to signing NDAs. They protect security companies 
inadequacies just as much as they protect sharing sensitive data with a 
third-party.

Customers pay, and they can control such NDAs if they choose. It would be 
nice to see more customers reword NDAs to protect themselves, agree not to 
disclose some vendor 'trade secrets' (really, ./nessus -args isn't a trade 
secret), but not bind themselves further. This would let a company post to 
the list "We used X Scan Shop, Inc. and were very unhappy. They provided 
unsanitized $product reports without even validating false positives."


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: