Penetration Testing mailing list archives

Re: My Frustrations Step Two

From: Alex Moen <alexm () ndtel com>
Date: Thu, 18 Dec 2008 16:31:37 -0600

Actually, this should be done anyway as part of the initial contact with the client, defining the role that the pen tester will take and the scopethat is suitable and expected.

Maybe some of the "biggies" in the industry could, or would, create some ideas for RFPs that the client (not the pen tester) should use whendetermining who will do the pen test, kind of an acid test for the selection. This might be a tough thing to do considering that each industry hasdifferent needs, but there should be something that they could come up with...


Alex



Leonardo Cavallari Militelli wrote:

Maybe the best solution should be define a sort of RFP (Request for
Proposal) and steer customers to use it as contractual clauses.


On Thu, Dec 18, 2008 at 10:27 AM, Adriel T. Desautels
<ad_lists () netragard com> wrote:

So it appears to me that the solution to this problem is to provide the
customer with ammunition so that they can quickly shoot down the fraudulent
security experts and properly identify the real ones. There are different
services, different classifications of service, different threat levels,
etc. If our customers knew how to identify what they needed, they could use
that to choose a good provider with much more success. But thats the real
problem isn't it? Our customers aren't security experts and as a result they
don't know what they need...

So, what questions can we arm our customers with so that they can weed out
the Frauds?


Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

My Frustrations Adriel T. Desautels (Dec 18)
- Re: My Frustrations Jamie Riden (Dec 18)
  - My Frustrations Step Two Adriel T. Desautels (Dec 18)
    - RE: My Frustrations Step Two Erin Carroll (Dec 18)
    - Re: My Frustrations Step Two Leonardo Cavallari Militelli (Dec 18)
    - Re: My Frustrations Step Two Alex Moen (Dec 18)
    - Re: My Frustrations Step Two Matt (Dec 18)
    - Re: My Frustrations Step Two Paul Melson (Dec 19)
    - Re: My Frustrations Step Two Adriel T. Desautels (Dec 19)
  - Re: My Frustrations security curmudgeon (Dec 18)
  - Re: My Frustrations M.B.Jr. (Dec 18)
- Re: My Frustrations Alex Moen (Dec 18)
  - Re: My Frustrations Adriel T. Desautels (Dec 18)
  - Re: My Frustrations M.B.Jr. (Dec 19)
    - RE: My Frustrations Baykal, Adnan (CSCIC) (Dec 19)
    - RE: My Frustrations Erin Carroll (Dec 19)

(Thread continues...)