[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20071220092057.9u53cmeig0ggskoc@192.168.168.10>
Date: Thu, 20 Dec 2007 09:20:57 -0600
From: trains <trains@...torunix.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers
- Exposed] Cybertrust ( C + )
I am a pentester and IDS/IPS administrator for a large-ish security
firm. None of our tech staff worked on the corporate web site. We
are too busy, and frankly, it's just not my bag.
Public facing websites are usually outsourced to professional graphics
arts firms and developed under the supervision of the Director of
Business Development. It's usually a solid pile of fluffy buzzwords
and crap.
I like where you are going, you're just not there yet. Your
methodology is weak. You need to review the "actionability" of the
deliverables. Ask for sanitized sample reports.
The argument of who has the most leet hackers is unmeasurable and
pointless. For commercial security firms the real criteria needs to
be focused on the business process that helps their clients improve
their overall security posture. Not just, "I found an XSS on your
site", but how is the security infrastructure being managed and
improved.
Try looking at the "actionability" aspect of the companies'
deliverables and see if you don't get better findings.
Some possible things to look for:
Do they include a screen shot for every finding?
Do they correlate each finding to a specific spot of code in the
vulnerable app?
Do they work with your developers to assist with remediation and
permanent resolution?
How much app dev experience do the pentesters have?
Do they have Language and framework specialists on staff to review
each finding and make relevant remediation recommendations?
Do they meet with the security team, the networking team, the
server support team and the developer team separately in break-out
sessions with specialists in each area?
Does every finding include a recommendation for permanent remediation?
Please get better. I like where you are going, you're just not there yet.
t.r.
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services@...torunix.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists