lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 20 Dec 2007 19:19:16 -0500
From: "SecReview" <secreview@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>,<secreview.exposed@...il.com>
Subject: Re: [Professional IT Security Reviewers -
	Exposed] SecReview ( F - )

1.) What are your qualifications for reviewing these companies?

We are a team of security professionals that have been performing a 
wide array of penetration tests, vulnerability assessments, web 
application security services etc. One of our team members has 
founded two different security companies both of which have been 
very successful and have offered high quality services. Yes we have 
all sorts of pretty little certifications, but those don't really 
matter. 



2.) Your criteria for review is clearly flawed.  Reviewing 
marketing material, websites, etc. is just ridiculous.  Typically 
these are not created by the security team itself, but instead the 
marketing department for a company.  You only just mentioned that 
you started reviewing sample reports, and that not all companies 
are willing to provide these.  How could you possibly review a 
company WITHOUT a sample report at the minimum?

We review companies based on what we are given by the companies and 
based on what we can find on the internet, with Google, etc. Our 
reviews are only as good as what we can find. That is why each 
review is open for debate and why we form an opinion that can be 
changed. To date, we've had no complaints about our reviews and for 
the most part according to readers have been spot on.

3.) What is your scoring system?  Do you even have one?

We do have a scoring system but are still refining it. We are 
trying to find a way to set more clear boundaries between scores so 
that scores are based more on fact than opinion. Right now, they 
are mostly based on opinion and what we as professionals consider 
quality services. 

4.) If company A does not submit themselves for review, and 
therefore will not provide you with the information you need to 
review them, do they get a lower score? 

No, if a company does not submit themselves for review they do not 
get a lower score. In fact, most companies do not submit themselves 
for review but still provide us for sample reports when we call 
them. Sample reports help out for obvious reasons, but then again 
so do all of the other aspects of our research.


We are for all intents and purposes akin to a prospective client 
looking for an assessment. What we see during a review is what a 
prospect would see if they took the time to really dig in and 
analyze security companies. Our opinions are non-biased, all 
companies start with an A. 

Did that help? 

P.s.  Next time you might want to base your opinion off of the blog 
instead of reading just a few emails. Then at least you could offer 
useful critical insight into what we are doing. 


Regards, 
      The Secreview Team
      http://secreview.blogspot.com

--
Best Weight Loss Program - Click Here!
http://tagline.hushmail.com/fc/Ioyw6h4dU2YRhFxboTp0C9MN1uLmvGhSJqHSX1es3HoB97ud2AFZVG/
      Professional IT Security Service Providers - Exposed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ