Penetration Testing mailing list archives
Re: My Frustrations
From: "gold flake" <ptinstructor () gmail com>
Date: Sat, 20 Dec 2008 12:51:39 +0530
I hope Erin will let this one through. Just wanted to add some thoughts of mine. I have been a regular listener of this list but have rarely posted before. I used to work for the military but am now on the other side of the road. Most of what you all are saying makes sense but I can also sympathise with Adriel's frustration on how to educate the customer to recognise the good from bad. I guess if the "security guys" talk on this list and do get educated in return, over a period of time there will be enough experts in the end. While providing a benchmark for the customer is definitely attractive, I guess this problem will address itself over the long run as these "experts" will also filter down as CISOs in companies looking for Pen Tests. This also points to the fact that while the real experts are fairly modest and do take the time to explain things to noobs, there are times when these guys can be pretty brusque. Incidentally this is one of the few posts I have seen on this list generating extensive discussions. It is upto you guys that people like me look for education and if we get fobbed off with you-don't-even-know-this-! response, is it any wonder that we peddle "Nessus" reports as PT/VA reports. Some of the reputed vendors also allow you to use your own logo on their reports, thereby saving you the even the trouble of writing a report in the first place. The military (and I am sure so do other organisations) have a system of annual appraisal reports. For most part these reports are subjective in nature and how you fare depends on whether your boss liked your face or not. But over a period of time, with enough reports from different bosses, these aberrations get evened out. So I think as enough people have suggested, references are a good starting point for judging the competence of a pen tester. On Thu, Dec 18, 2008 at 12:49 AM, Adriel T. Desautels <ad_lists () netragard com> wrote:
I recently wrote this blog entry and wanted to get some comments from readers of this list. I'm frustrated with the caliber of the people that are offering security services and posing as experts, thats the subject of the post. Please comment, insult, whatever... I'm interested. http://snosoft.blogspot.com/ Adriel T. Desautels ad_lists () netragard com
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: My Frustrations, (continued)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- Re: My Frustrations Adriel T. Desautels (Dec 23)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- RE: My Frustrations Sat Jagat Singh (Dec 19)
- Re: My Frustrations Pete Herzog (Dec 20)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- RE: My Frustrations Shenk, Jerry A (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 19)