lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 20 Dec 2007 08:19:53 -0700
From: "Mike Vasquez" <mike.vasquez@...il.com>
To: Epic <epic@...k3r.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -Exposed]
	Cybertrust ( C + )

Yes, a blog is an opinion, typically.  And a blog that reviews a
product, *tried
the product.*  Seriously, find a blog that reviewed a product without
actually trying it, but almost purely by looking at the marketing material
on the product.

That's an incredibly fundamental difference which makes these reviews pretty
much worthless.

If you had a product you were selling, would you want someone to review it
without even trying it?



On Dec 20, 2007 7:55 AM, Epic <epic@...k3r.com> wrote:

> Isn't ANY review subjective to opinion?    I do not understand the basis
> of this flame.  It appears to me that a lot of the reviews on this site
> offer some great insight into the companies being presented.   Granted it is
> an opinion, but that is what a blog is isn't it?
>
>
> On 12/20/07, c0redump <c0redump@...ers.org.uk> wrote:
> >
> > Exactly.  Your 'grading' is based on your personal opinion.
> >
> > Do us all a favour and get a proper job.
> >
> > ----- Original Message -----
> > From: "guiness.stout" <guinness.stout@...il.com>
> > To: <full-disclosure@...ts.grok.org.uk >
> > Sent: Thursday, December 20, 2007 2:05 PM
> > Subject: Re: [Full-disclosure] [Professional IT Security Providers
> > -Exposed]
> > Cybertrust ( C + )
> >
> >
> > > I'm not really clear on how you are grading these companies.  I've had
> >
> > > no personal experience with them but I don't decide a companies
> > > quality of work simply by their website and what information I get
> > > from some customer support person.  These "grades" seem pointless and
> > > frankly unfounded.  You should reword your grading system to specify
> > > the ease of use of their websites and not the service they provide.
> > > Especially if you haven't ordered any services from them.  I'm not
> > > defending anyone here just pointing out some flaws in this "grading."
> > >
> > > On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com> wrote:
> > >> One of our readers made a request that we review Cybertrust
> > >> ("http://www.cybertrust.com"). Cybertrust was recently acquired by
> > >> Verizon
> > >> and as a result this review was a bit more complicated and required a
> > lot
> > >> more digging to complete (In fact its now Cybertrust and Netsec).
> > Never
> > >> the
> > >> less, we managed to dig information specific to Cybertrust out of
> > Verizon
> > >> representatives. We would tell you that we used the website for
> > >> information
> > >> collection, but in all reality the website was useless. Not only was
> > it
> > >> horribly written and full of marketing fluff, but the services were
> > not
> > >> clearly defined.
> > >>
> > >> As an example, when you view the Cybertrust services in their drop
> > down
> > >> menu
> > >> you are presented with the following service offerings: Application
> > >> Security, Assessments, Certification, Compliance/Governance,
> > Consulting,
> > >> Enterprise Security, Identity Management Investigative Response
> > >> /Forensics,
> > >> Managed Security Services, Partner Security Program Security
> > Management
> > >> Program, and SSL Certificates. The first thing you think is "what the
> > >> hell?"
> > >> the second is "ok so they offer 12 services".
> > >>
> > >> Well as you dig into each service you quickly find out that they do
> > not
> > >> offer 12 services, but instead they have 12 links to 12 different
> > pages
> > >> full
> > >> of marketing fluff. As you read each of the pages in an attempt to
> > wrap
> > >> your
> > >> mind around what they are offering as individually packaged services
> > >> you're
> > >> left with more questions than answers. So again, what the hell?
> > >>
> > >> Here's an example. Their "Application Security" service page does not
> > >> contain a description about a Web Application Security service. In
> > fact,
> > >> it
> > >> doesn't even contain a description about a System
> > Software/Application
> > >> security service. Instead it contains a super high level, super vague
> > and
> > >> fluffy description that covers a really general idea of "Application"
> >
> > >> security services. When you really read into it you find out that
> > their
> > >> Application Security service should be broken down into multiple
> > >> different
> > >> defined service offerings.
> > >>
> > >> Even more frustrating is that their Application Security service is a
> > >> consulting service and that they have a separate service offering
> > called
> > >> Consulting. When you read the description for Consulting, it is also
> > >> vague
> > >> and mostly useless, but does cover the "potential" for Application
> > >> Security.
> > >>
> > >> So, trying to learn anything about Cybertrust from their web page is
> > like
> > >> trying to pull teeth out of a possessed chicken. We decided that we
> > would
> > >> move on and call Cybertrust to see what we could get out of them with
> > a
> > >> conversation. That proved to be a real pain in the ass too as their
> > >> website
> > >> doesn't list any telephone numbers. We ended up calling verizon and
> > after
> > >> talking to 4 people we finally found a Cybertrust representative.
> > >>
> > >> At last, a human being that could provide us with useful information
> > and
> > >> answers to our questions about their services. We did receive about
> > 2mb
> > >> of
> > >> materials from our contact at Cybertrust, but the materials were all
> > >> marketing fluff, totally useless. That being said, our conversation
> > with
> > >> the
> > >> representative gave us a very clear understanding of how Cybertrust
> > >> delivers
> > >> there services. In all honesty, we were not all that impressed.
> > >>
> > >> Cybertrust does perform their own Vulnerability Research and
> > Development
> > >> (or
> > >> so we were told) under the umbrella of ICSAlabs which they own.
> > Usually
> > >> we'd
> > >> say that this is great because that research is often used to augment
> > >> services and enhance overall service quality. With respect to
> > Cybertrust,
> > >> we
> > >> couldn't find out what they were doing with their research. They just
> > >> told
> > >> us that they don't release advisories and then refused to tell us
> > what
> > >> they
> > >> did with the research.
> > >>
> > >> When we asked them about their services and testing methodologies, we
> > >> were
> > >> first told that they couldn't discuss that. We were told that their
> > >> methodologies were confidential. But after a bit of Social
> > Engineering
> > >> and
> > >> sweet talking we were able to get more information...
> > >>
> > >> As it turns out, the majority of the Cybertrust services rely on what
> >
> > >> they
> > >> say are proprietary automated scanners which were developed in-house.
> > >> Their
> > >> methodology is to run the automated scanners against a specific
> > target or
> > >> set of targets, and then to pass the results to a seasoned
> > professional.
> > >> That professional then verifies the results via manual testing and
> > >> produces
> > >> a report that contains the vetted results.
> > >>
> > >> This methodology doesn't really offer any depth and doesn't do much
> > to
> > >> raise
> > >> the proverbial security bar. In fact, it is only slightly better than
> > >> running a Qualys scan, changing the wording of the report, and
> > delivering
> > >> that. Quality methodologies should contain no more than 20% automated
> >
> > >> testing and no less than 80% manual testing. Vulnerability discovery
> > >> should
> > >> be done via manual testing, not just via automated testing.
> > >>
> > >> In defense of Cybertrust, they did say that they would test in
> > accordance
> > >> with the customers requirements. They also did say that if the
> > customer
> > >> wanted 100% manual testing that they would do it. If they want 100%
> > >> automated "rubber stamp of approval" testing they would do that too.
> > >> Saying
> > >> it is a lot different than doing it though and we weren't impressed
> > with
> > >> their standard/default testing methodology as previously mentioned.
> > >>
> > >> It is important to note that Cybertrust is also a full service
> > security
> > >> provider. They offer a wide range of services from supporting secure
> > >> product
> > >> development services, to security testing, and even forensic
> > services.
> > >> With
> > >> that said, their services do not seem to be anything special. In
> > fact,
> > >> they
> > >> seem to be just about average short of their horrible website and
> > >> overwhelming marketing fluff.
> > >>
> > >> It is our recommendation that you choose a different provider if you
> > are
> > >> looking for well defined, high quality services. Cybertrust is
> > cloaked in
> > >> a
> > >> thick layer of marketing fluff and frankly doesn't seem to be very
> > easy
> > >> to
> > >> work with. That being said, they were also not easy to review. If you
> >
> > >> disagree with this post or have worked with Cybertrust in the past,
> > then
> > >> please leave us a comment. We're going to give Cybertrust a "C" but
> > if
> > >> you
> > >> can convince us that they deserve a different grade then we'll revise
> > our
> > >> opinion.
> > >>
> > >> Thanks for reading.
> > >>
> > >> --
> > >>  Posted By secreview to Professional IT Security Providers - Exposed
> > at
> > >> 12/19/2007 07:32:00 PM
> > >> _______________________________________________
> > >> Full-Disclosure - We believe in it.
> > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > >> Hosted and sponsored by Secunia - http://secunia.com/
> > >>
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ