Penetration Testing mailing list archives
Re: My Frustrations Step Two
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 19 Dec 2008 07:04:35 -0500
On Thu, Dec 18, 2008 at 7:27 AM, Adriel T. Desautels <ad_lists () netragard com> wrote:
So it appears to me that the solution to this problem is to provide the customer with ammunition so that they can quickly shoot down the fraudulent security experts and properly identify the real ones. There are different services, different classifications of service, different threat levels, etc. If our customers knew how to identify what they needed, they could use that to choose a good provider with much more success. But thats the real problem isn't it? Our customers aren't security experts and as a result they don't know what they need...
I think that you're on the right track here, insofaras customer awareness is the key to differentiating expert pen-testers from people who charge money for Nessus scans. (To that point, using a scanner isn't a differentiator between a poseur and a real pen-tester, but *only* using a scanner is probably the big one.) But this is far from a silver bullet. As I pointed out the last time we discussed this topic, there are customers out there that want - or are required to have - a report from a third party that shows hat they're secure. And they're not willing to pay much, so they're not going to get much. For a Netragard, or an InGuardians, or an IOActive, or an Immunity, it is simply not worth their time to work with clients who want to do security on the cheap. They staff experts, and they pay for it. As a result, so must their clients, and it's clear that they don't have problems getting clients who are willing to pay for access to their experts. But if somebody's willing to spend money, somebody's also likely willing to take it, and that's not going to change no matter how much you educate the customer. Unqualified people will continue to do IT security work for the duration. And for those that propose licensing as a solution, ask an attorney how effective that's been in their field.
So, what questions can we arm our customers with so that they can weed out the Frauds?
I think that this is less about general education and more about brand awareness. It is a business, after all. In our industry, you build brand awareness by publishing new research and by sending your experts to present at conferences where they can be seen. Oh, and you put your logo on all of it. :-) The end result will be customers who want, and can easily find, upper-echelon talent and service on one end, and customers who care only about cost on the other, with a pretty big middle defined by various organizational constraints. Frankly, I'm not sure we aren't already there. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- My Frustrations Adriel T. Desautels (Dec 18)
- Re: My Frustrations Jamie Riden (Dec 18)
- My Frustrations Step Two Adriel T. Desautels (Dec 18)
- RE: My Frustrations Step Two Erin Carroll (Dec 18)
- Re: My Frustrations Step Two Leonardo Cavallari Militelli (Dec 18)
- Re: My Frustrations Step Two Alex Moen (Dec 18)
- Re: My Frustrations Step Two Matt (Dec 18)
- Re: My Frustrations Step Two Paul Melson (Dec 19)
- Re: My Frustrations Step Two Adriel T. Desautels (Dec 19)
- My Frustrations Step Two Adriel T. Desautels (Dec 18)
- Re: My Frustrations Jamie Riden (Dec 18)
- Re: My Frustrations security curmudgeon (Dec 18)
- Re: My Frustrations M.B.Jr. (Dec 18)
- Re: My Frustrations Adriel T. Desautels (Dec 18)
- Re: My Frustrations M.B.Jr. (Dec 19)
- RE: My Frustrations Baykal, Adnan (CSCIC) (Dec 19)
- RE: My Frustrations Erin Carroll (Dec 19)
- Re: My Frustrations Nick Besant (Dec 18)