Re: My Frustrations

["gold flake" <ptinstructor () gmail com>]

I hope Erin will let this one through.

Just wanted to add some thoughts of mine.  I have been a regular
listener of this list but have rarely posted before.  I used to work
for the military but am now on the other side of the road.  Most of
what you all are saying makes sense but I can also sympathise with
Adriel's frustration on how to educate the customer to recognise the
good from bad.  I guess if the "security guys" talk on this list and
do get educated in return, over a period of time there will be enough
experts in the end.  While providing a benchmark for the customer is
definitely attractive, I guess this problem will address itself over
the long run as these "experts" will also filter down as CISOs in
companies looking for Pen Tests.

This also points to the fact that while the real experts are fairly
modest and do take the time to explain things to noobs, there are
times when these guys can be pretty brusque.  Incidentally this is one
of the few posts I have seen on this list generating extensive
discussions.  It is upto you guys that people like me look for
education and if we get fobbed off with you-don't-even-know-this-!
response, is it any wonder that we peddle "Nessus" reports as PT/VA
reports.  Some of the reputed vendors also allow you to use your own
logo on their reports, thereby saving you the even the trouble of
writing a report in the first place.

The military (and I am sure so do other organisations) have a system
of annual appraisal reports.  For most part these reports are
subjective in nature and how you fare depends on whether your boss
liked your face or not.  But over a period of time, with enough
reports from different bosses, these aberrations get evened out.  So I
think as enough people have suggested, references are a good starting
point for judging the competence of a pen tester.

On Thu, Dec 18, 2008 at 12:49 AM, Adriel T. Desautels
<ad_lists () netragard com> wrote:
> I recently wrote this blog entry and wanted to get some comments from
> readers of this list. I'm frustrated with the caliber of the people that are
> offering security services and posing as experts, thats the subject of the
> post. Please comment, insult, whatever... I'm interested.
>
> http://snosoft.blogspot.com/
>
>
> Adriel T. Desautels
> ad_lists () netragard com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------