lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 20 Dec 2007 12:37:32 -0500
From: "SecReview" <secreview@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>,<guinness.stout@...il.com>
Subject: Re: [Professional IT Security Providers -Exposed]
	Cybertrust ( C + )

That will come soon...

On Thu, 20 Dec 2007 10:32:51 -0500 "guiness.stout" 
<guinness.stout@...il.com> wrote:
>What kind of grading scale will you use?  A through F or maybe a 1 
>to
>10 type scale?  I am very interested in your services!
>
>On Dec 20, 2007 10:09 AM, Kurt Dillard <kurtdillard@....com> 
>wrote:
>>
>>
>>
>>
>> Because its absurd to write a review for a service without 
>actually
>> experiencing the service. The original poster's messages have 
>only had
>> entertainment value, they've had no value from an information 
>security
>> perspective. If you'd like to provide a link to your MSN profile 
>and
>> facebook pages I'll write up a resume for you. Does that sound 
>like a good
>> idea?
>>
>>
>>
>>
>> From: full-disclosure-bounces@...ts.grok.org.uk
>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of 
>Epic
>>  Sent: Thursday, December 20, 2007 11:56 AM
>>  To: c0redump
>>  Cc: full-disclosure@...ts.grok.org.uk
>>
>>
>>  Subject: Re: [Full-disclosure] [Professional IT Security 
>Providers
>> -Exposed] Cybertrust ( C + )
>>
>>
>>
>>
>>
>> Isn't ANY review subjective to opinion?    I do not understand 
>the basis of
>> this flame.  It appears to me that a lot of the reviews on this 
>site offer
>> some great insight into the companies being presented.   Granted 
>it is an
>> opinion, but that is what a blog is isn't it?
>>
>>
>> On 12/20/07, c0redump <c0redump@...ers.org.uk> wrote:
>>
>> Exactly.  Your 'grading' is based on your personal opinion.
>>
>>  Do us all a favour and get a proper job.
>>
>>  ----- Original Message -----
>>  From: "guiness.stout" <guinness.stout@...il.com>
>>  To: <full-disclosure@...ts.grok.org.uk >
>>  Sent: Thursday, December 20, 2007 2:05 PM
>>  Subject: Re: [Full-disclosure] [Professional IT Security 
>Providers
>> -Exposed]
>>  Cybertrust ( C + )
>>
>>
>>  > I'm not really clear on how you are grading these companies.  
>I've had
>>  > no personal experience with them but I don't decide a 
>companies
>>  > quality of work simply by their website and what information 
>I get
>>  > from some customer support person.  These "grades" seem 
>pointless and
>>  > frankly unfounded.  You should reword your grading system to 
>specify
>>  > the ease of use of their websites and not the service they 
>provide.
>>  > Especially if you haven't ordered any services from them.  
>I'm not
>>  > defending anyone here just pointing out some flaws in this 
>"grading."
>>  >
>>  > On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com> 
>wrote:
>>  >> One of our readers made a request that we review Cybertrust
>>  >> ("http://www.cybertrust.com"). Cybertrust was recently 
>acquired by
>>  >> Verizon
>>  >> and as a result this review was a bit more complicated and 
>required a
>> lot
>>  >> more digging to complete (In fact its now Cybertrust and 
>Netsec). Never
>>  >> the
>>  >> less, we managed to dig information specific to Cybertrust 
>out of
>> Verizon
>>  >> representatives. We would tell you that we used the website 
>for
>>  >> information
>>  >> collection, but in all reality the website was useless. Not 
>only was it
>>  >> horribly written and full of marketing fluff, but the 
>services were not
>>  >> clearly defined.
>>  >>
>>  >> As an example, when you view the Cybertrust services in 
>their drop down
>>  >> menu
>>  >> you are presented with the following service offerings: 
>Application
>>  >> Security, Assessments, Certification, Compliance/Governance, 
>Consulting,
>>  >> Enterprise Security, Identity Management Investigative 
>Response
>>  >> /Forensics,
>>  >> Managed Security Services, Partner Security Program Security 
>Management
>>  >> Program, and SSL Certificates. The first thing you think is 
>"what the
>>  >> hell?"
>>  >> the second is "ok so they offer 12 services".
>>  >>
>>  >> Well as you dig into each service you quickly find out that 
>they do not
>>  >> offer 12 services, but instead they have 12 links to 12 
>different pages
>>  >> full
>>  >> of marketing fluff. As you read each of the pages in an 
>attempt to wrap
>>  >> your
>>  >> mind around what they are offering as individually packaged 
>services
>>  >> you're
>>  >> left with more questions than answers. So again, what the 
>hell?
>>  >>
>>  >> Here's an example. Their "Application Security" service page 
>does not
>>  >> contain a description about a Web Application Security 
>service. In fact,
>>  >> it
>>  >> doesn't even contain a description about a System 
>Software/Application
>>  >> security service. Instead it contains a super high level, 
>super vague
>> and
>>  >> fluffy description that covers a really general idea of 
>"Application"
>>  >> security services. When you really read into it you find out 
>that their
>>  >> Application Security service should be broken down into 
>multiple
>>  >> different
>>  >> defined service offerings.
>>  >>
>>  >> Even more frustrating is that their Application Security 
>service is a
>>  >> consulting service and that they have a separate service 
>offering called
>>  >> Consulting. When you read the description for Consulting, it 
>is also
>>  >> vague
>>  >> and mostly useless, but does cover the "potential" for 
>Application
>>  >> Security.
>>  >>
>>  >> So, trying to learn anything about Cybertrust from their web 
>page is
>> like
>>  >> trying to pull teeth out of a possessed chicken. We decided 
>that we
>> would
>>  >> move on and call Cybertrust to see what we could get out of 
>them with a
>>  >> conversation. That proved to be a real pain in the ass too 
>as their
>>  >> website
>>  >> doesn't list any telephone numbers. We ended up calling 
>verizon and
>> after
>>  >> talking to 4 people we finally found a Cybertrust 
>representative.
>>  >>
>>  >> At last, a human being that could provide us with useful 
>information and
>>  >> answers to our questions about their services. We did 
>receive about 2mb
>>  >> of
>>  >> materials from our contact at Cybertrust, but the materials 
>were all
>>  >> marketing fluff, totally useless. That being said, our 
>conversation with
>>  >> the
>>  >> representative gave us a very clear understanding of how 
>Cybertrust
>>  >> delivers
>>  >> there services. In all honesty, we were not all that 
>impressed.
>>  >>
>>  >> Cybertrust does perform their own Vulnerability Research and 
>Development
>>  >> (or
>>  >> so we were told) under the umbrella of ICSAlabs which they 
>own. Usually
>>  >> we'd
>>  >> say that this is great because that research is often used 
>to augment
>>  >> services and enhance overall service quality. With respect 
>to
>> Cybertrust,
>>  >> we
>>  >> couldn't find out what they were doing with their research. 
>They just
>>  >> told
>>  >> us that they don't release advisories and then refused to 
>tell us what
>>  >> they
>>  >> did with the research.
>>  >>
>>  >> When we asked them about their services and testing 
>methodologies, we
>>  >> were
>>  >> first told that they couldn't discuss that. We were told 
>that their
>>  >> methodologies were confidential. But after a bit of Social 
>Engineering
>>  >> and
>>  >> sweet talking we were able to get more information...
>>  >>
>>  >> As it turns out, the majority of the Cybertrust services 
>rely on what
>>  >> they
>>  >> say are proprietary automated scanners which were developed 
>in-house.
>>  >> Their
>>  >> methodology is to run the automated scanners against a 
>specific target
>> or
>>  >> set of targets, and then to pass the results to a seasoned 
>professional.
>>  >> That professional then verifies the results via manual 
>testing and
>>  >> produces
>>  >> a report that contains the vetted results.
>>  >>
>>  >> This methodology doesn't really offer any depth and doesn't 
>do much to
>>  >> raise
>>  >> the proverbial security bar. In fact, it is only slightly 
>better than
>>  >> running a Qualys scan, changing the wording of the report, 
>and
>> delivering
>>  >> that. Quality methodologies should contain no more than 20% 
>automated
>>  >> testing and no less than 80% manual testing. Vulnerability 
>discovery
>>  >> should
>>  >> be done via manual testing, not just via automated testing.
>>  >>
>>  >> In defense of Cybertrust, they did say that they would test 
>in
>> accordance
>>  >> with the customers requirements. They also did say that if 
>the customer
>>  >> wanted 100% manual testing that they would do it. If they 
>want 100%
>>  >> automated "rubber stamp of approval" testing they would do 
>that too.
>>  >> Saying
>>  >> it is a lot different than doing it though and we weren't 
>impressed with
>>  >> their standard/default testing methodology as previously 
>mentioned.
>>  >>
>>  >> It is important to note that Cybertrust is also a full 
>service security
>>  >> provider. They offer a wide range of services from 
>supporting secure
>>  >> product
>>  >> development services, to security testing, and even forensic 
>services.
>>  >> With
>>  >> that said, their services do not seem to be anything 
>special. In fact,
>>  >> they
>>  >> seem to be just about average short of their horrible 
>website and
>>  >> overwhelming marketing fluff.
>>  >>
>>  >> It is our recommendation that you choose a different 
>provider if you are
>>  >> looking for well defined, high quality services. Cybertrust 
>is cloaked
>> in
>>  >> a
>>  >> thick layer of marketing fluff and frankly doesn't seem to 
>be very easy
>>  >> to
>>  >> work with. That being said, they were also not easy to 
>review. If you
>>  >> disagree with this post or have worked with Cybertrust in 
>the past, then
>>  >> please leave us a comment. We're going to give Cybertrust a 
>"C" but if
>>  >> you
>>  >> can convince us that they deserve a different grade then 
>we'll revise
>> our
>>  >> opinion.
>>  >>
>>  >> Thanks for reading.
>>  >>
>>  >> --
>>  >>  Posted By secreview to Professional IT Security Providers - 
>Exposed at
>>  >> 12/19/2007 07:32:00 PM
>>  >> _______________________________________________
>>  >> Full-Disclosure - We believe in it.
>>  >> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>>  >> Hosted and sponsored by Secunia - http://secunia.com/
>>  >>
>>  >
>>  > _______________________________________________
>>  > Full-Disclosure - We believe in it.
>>  > Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>>  > Hosted and sponsored by Secunia - http://secunia.com/
>>  >
>>  >
>>
>>  _______________________________________________
>>  Full-Disclosure - We believe in it.
>>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>  Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Regards, 
      The Secreview Team
      http://secreview.blogspot.com
      Professional IT Security Service Providers - Exposed

--
Linux Training - Click here.
http://tagline.hushmail.com/fc/Ioyw6h4dF6kmUQwjvkBnduLDmZdXT6KNdqY1JdKtqcR8b3Froa1dNG/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ