lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Dec 2007 14:45:04 -0500
From: "SecReview" <secreview@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>, <trains@...torunix.com>,
	<elazar@...hmail.com>
Subject: Re: [Professional IT Security Providers -
	Exposed] Cybertrust ( C + )

Awesome, 
   So you were an RA Security customer, would you be willing to 
answer a few questions that we have so that we can revise our post? 
We don't want to post anything that is not accurate. Your help 
would be very much appreciated and we'd keep you anonymous. 

On Thu, 20 Dec 2007 11:49:23 -0500 elazar@...hmail.com wrote:
>"Public facing websites are usually outsourced to professional 
>graphics  
>arts firms and developed under the supervision of the Director of 
>Business Development.  It's usually a solid pile of fluffy 
>buzzwords and crap."
>
>Its sad how true this is. What makes it worse is half the time the 
>
>Director of Business Development doesn't even understand what the 
>company does. Unfortunately, in many companies, there is a huge 
>disconnect between the marketing side and those who actually 
>deliver the services. Someone had mentioned before that reviewing 
>companies based on their site was like reviewing a restaurant 
>based 
>on their menu. Actually, this is worse, because at least at a 
>restaurant, generally, what is on the menu is what is served, this 
>
>isn't always the case with a corporate website. You have a very 
>good idea, however, trying to cut through marketing fluff on 
>website isn't going to leave you with much of anything because 
>there is nothing there to begin with.
>
>On a side note, you had reviewed RA Security. My company has used 
>them in the past, and I do agree that their site may be a bit 
>disorganized but I have found them to be very professional and 
>easy 
>to work with.
>
>Elazar
>
>On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains@...torunix.com> 
>wrote:
>>I am a pentester and IDS/IPS administrator for a large-ish 
>>security  
>>firm.  None of our tech staff worked on the corporate web site.  
>>We  
>>are too busy, and frankly, it's just not my bag.
>>
>>Public facing websites are usually outsourced to professional 
>>graphics  
>>arts firms and developed under the supervision of the Director of 
> 
>>
>>Business Development.  It's usually a solid pile of fluffy 
>>buzzwords  
>>and crap.
>>
>>I like where you are going, you're just not there yet.  Your  
>>methodology is weak.  You need to review the "actionability" of 
>>the  
>>deliverables.  Ask for sanitized sample reports.
>>
>>The argument of who has the most leet hackers is unmeasurable and 
> 
>>
>>pointless.  For commercial security firms the real criteria needs 
>
>>to  
>>be focused on the business process that helps their clients 
>>improve  
>>their overall security posture.  Not just, "I found an XSS on 
>your 
>> 
>>site", but how is the security infrastructure being managed and  
>>improved.
>>
>>Try looking at the "actionability" aspect of the companies'  
>>deliverables and see if you don't get better findings.
>>
>>Some possible things to look for:
>>   Do they include a screen shot for every finding?
>>   Do they correlate each finding to a specific spot of code in 
>>the  
>>vulnerable app?
>>   Do they work with your developers to assist with remediation 
>>and  
>>permanent resolution?
>>   How much app dev experience do the pentesters have?
>>   Do they have Language and framework specialists on staff to 
>>review  
>>each finding and make relevant remediation recommendations?
>>   Do they meet with the security team, the networking team, the  
>
>>server support team and the developer team separately in break-
>out 
>> 
>>sessions with specialists in each area?
>>   Does every finding include a recommendation for permanent 
>>remediation?
>>
>>Please get better.  I like where you are going, you're just not 
>>there yet.
>>
>>t.r.
>>
>>-------------------------------------------------
>>Email solutions, MS Exchange alternatives and extrication,
>>security services, systems integration.
>>Contact:    services@...torunix.com
>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>--
>Click to get free info on remodeling your kitchen.
>http://tagline.hushmail.com/fc/Ioyw6h4dczm28j7Wd3MPtFMlayFrrtoAqmDZ
>rCwLiFsZCzCbZLKzQs/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Regards, 
      The Secreview Team
      http://secreview.blogspot.com

--
All of your favorite as seen on tv products are just a click away!
http://tagline.hushmail.com/fc/Ioyw6h4eY9ywqFtZxl3WHySeWn70bD2gu12TxL0BIrzd90Mg4aDn0c/
      Professional IT Security Service Providers - Exposed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists