| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20071220203920.BFF62118039@mailserver5.hushmail.com> Date: Thu, 20 Dec 2007 15:39:20 -0500 From: <elazar@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>, <trains@...torunix.com>, <secreview@...hmail.com> Subject: Re: [Professional IT Security Providers - Exposed] Cybertrust ( C + ) I don't mind answering some questions, however we had used them for a very basic scan so I couldn't tell you anything as far as their more in-depth services. Elazar On Thu, 20 Dec 2007 14:45:04 -0500 SecReview <secreview@...hmail.com> wrote: >Awesome, > So you were an RA Security customer, would you be willing to >answer a few questions that we have so that we can revise our >post? >We don't want to post anything that is not accurate. Your help >would be very much appreciated and we'd keep you anonymous. > >On Thu, 20 Dec 2007 11:49:23 -0500 elazar@...hmail.com wrote: >>"Public facing websites are usually outsourced to professional >>graphics >>arts firms and developed under the supervision of the Director of > >>Business Development. It's usually a solid pile of fluffy >>buzzwords and crap." >> >>Its sad how true this is. What makes it worse is half the time >the >> >>Director of Business Development doesn't even understand what the > >>company does. Unfortunately, in many companies, there is a huge >>disconnect between the marketing side and those who actually >>deliver the services. Someone had mentioned before that reviewing > >>companies based on their site was like reviewing a restaurant >>based >>on their menu. Actually, this is worse, because at least at a >>restaurant, generally, what is on the menu is what is served, >this >> >>isn't always the case with a corporate website. You have a very >>good idea, however, trying to cut through marketing fluff on >>website isn't going to leave you with much of anything because >>there is nothing there to begin with. >> >>On a side note, you had reviewed RA Security. My company has used > >>them in the past, and I do agree that their site may be a bit >>disorganized but I have found them to be very professional and >>easy >>to work with. >> >>Elazar >> >>On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains@...torunix.com> > >>wrote: >>>I am a pentester and IDS/IPS administrator for a large-ish >>>security >>>firm. None of our tech staff worked on the corporate web site. > >>>We >>>are too busy, and frankly, it's just not my bag. >>> >>>Public facing websites are usually outsourced to professional >>>graphics >>>arts firms and developed under the supervision of the Director >of >> >>> >>>Business Development. It's usually a solid pile of fluffy >>>buzzwords >>>and crap. >>> >>>I like where you are going, you're just not there yet. Your >>>methodology is weak. You need to review the "actionability" of >>>the >>>deliverables. Ask for sanitized sample reports. >>> >>>The argument of who has the most leet hackers is unmeasurable >and >> >>> >>>pointless. For commercial security firms the real criteria >needs >> >>>to >>>be focused on the business process that helps their clients >>>improve >>>their overall security posture. Not just, "I found an XSS on >>your >>> >>>site", but how is the security infrastructure being managed and > >>>improved. >>> >>>Try looking at the "actionability" aspect of the companies' >>>deliverables and see if you don't get better findings. >>> >>>Some possible things to look for: >>> Do they include a screen shot for every finding? >>> Do they correlate each finding to a specific spot of code in >>>the >>>vulnerable app? >>> Do they work with your developers to assist with remediation >>>and >>>permanent resolution? >>> How much app dev experience do the pentesters have? >>> Do they have Language and framework specialists on staff to >>>review >>>each finding and make relevant remediation recommendations? >>> Do they meet with the security team, the networking team, the > >> >>>server support team and the developer team separately in break- >>out >>> >>>sessions with specialists in each area? >>> Does every finding include a recommendation for permanent >>>remediation? >>> >>>Please get better. I like where you are going, you're just not >>>there yet. >>> >>>t.r. >>> >>>------------------------------------------------- >>>Email solutions, MS Exchange alternatives and extrication, >>>security services, systems integration. >>>Contact: services@...torunix.com >>> >>> >>>_______________________________________________ >>>Full-Disclosure - We believe in it. >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>Hosted and sponsored by Secunia - http://secunia.com/ >> >>-- >>Click to get free info on remodeling your kitchen. >>http://tagline.hushmail.com/fc/Ioyw6h4dczm28j7Wd3MPtFMlayFrrtoAqmD >Z >>rCwLiFsZCzCbZLKzQs/ >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >Regards, > The Secreview Team > http://secreview.blogspot.com > >-- >Click here to become a professional counselor in less time than >you think. >http://tagline.hushmail.com/fc/Ioyw6h4fPKE3wNePOtuzWxeloWYVf2nXDva4 >1gAKBmbvB4fgeeaWMy/ -- Click now to save up to 70% on picture frames! http://tagline.hushmail.com/fc/Ioyw6h4dcDGdkE5d5GgWPjhvXCykvouVwGm5nrVt0wrucMQYvd0Z6Y/ > Professional IT Security Service Providers - Exposed _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists