Re: They will protect me (won't they?)

["Adriel T. Desautels" <ad_lists () netragard com>]

Jamie,
	I understand your perspective but its not the perspective of any well  
seasoned security professional.  The fact of the matter is that that  
external teams will always identify risks and provide new perspective  
that you would not get from your internal team. Internal teams get  
stale.   There's a lot more to what I'm saying than what I've just  
written, but if you read between the lines I hope you understand where  
I'm coming from.


On Feb 10, 2009, at 5:28 PM, Jamie Riden wrote:

> 2009/2/9 Adriel T. Desautels <ad_lists () netragard com>:
> > One of my recent thoughts and blog entries...
> >
> > So the other day I was talking with my buddy Kevin Finisterre.  One  
> > of the
> > things that we were discussing was people who just don't feel that  
> > security
> > is an important aspect of their business because their customers  
> > don't ask
> > for it.  That always makes my brain scream "WHAT!?". Here's a  
> > direct quote
> > from a security technology vendor "We don't perform regular  
> > penetration
> > tests because our customers don't ask us to do that."
>
> This is probably not a popular view on this list, but I think you can
> do a lot towards securing a system without doing a pen-test.
> Obviously, I think vendors do have a substantial responsibility to
> make sure the systems they sell are easy to secure, and to encourage
> their customers to keep them secure. But if the security guy at the
> company fixes everything up without having a pen-test that's fine with
> me.
>
> cheers,
> Jamie
> --
> Jamie Riden / jamesr () europe com / jamie () honeynet org uk
> http://www.ukhoneynet.org/members/jamie/



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com