lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20071220092057.9u53cmeig0ggskoc@192.168.168.10>
Date: Thu, 20 Dec 2007 09:20:57 -0600
From: trains <trains@...torunix.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers
	-	Exposed] Cybertrust ( C + )

I am a pentester and IDS/IPS administrator for a large-ish security  
firm.  None of our tech staff worked on the corporate web site.  We  
are too busy, and frankly, it's just not my bag.

Public facing websites are usually outsourced to professional graphics  
arts firms and developed under the supervision of the Director of  
Business Development.  It's usually a solid pile of fluffy buzzwords  
and crap.

I like where you are going, you're just not there yet.  Your  
methodology is weak.  You need to review the "actionability" of the  
deliverables.  Ask for sanitized sample reports.

The argument of who has the most leet hackers is unmeasurable and  
pointless.  For commercial security firms the real criteria needs to  
be focused on the business process that helps their clients improve  
their overall security posture.  Not just, "I found an XSS on your  
site", but how is the security infrastructure being managed and  
improved.

Try looking at the "actionability" aspect of the companies'  
deliverables and see if you don't get better findings.

Some possible things to look for:
   Do they include a screen shot for every finding?
   Do they correlate each finding to a specific spot of code in the  
vulnerable app?
   Do they work with your developers to assist with remediation and  
permanent resolution?
   How much app dev experience do the pentesters have?
   Do they have Language and framework specialists on staff to review  
each finding and make relevant remediation recommendations?
   Do they meet with the security team, the networking team, the  
server support team and the developer team separately in break-out  
sessions with specialists in each area?
   Does every finding include a recommendation for permanent remediation?

Please get better.  I like where you are going, you're just not there yet.

t.r.

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services@...torunix.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ