lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <006b01c84312$38bc8390$05102dd9@gizmo>
Date: Thu, 20 Dec 2007 14:11:29 -0000
From: "c0redump" <c0redump@...ers.org.uk>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Professional IT Security Providers -Exposed]
	Cybertrust ( C + )

Exactly.  Your 'grading' is based on your personal opinion.

Do us all a favour and get a proper job.

----- Original Message ----- 
From: "guiness.stout" <guinness.stout@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, December 20, 2007 2:05 PM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] 
Cybertrust ( C + )


> I'm not really clear on how you are grading these companies.  I've had
> no personal experience with them but I don't decide a companies
> quality of work simply by their website and what information I get
> from some customer support person.  These "grades" seem pointless and
> frankly unfounded.  You should reword your grading system to specify
> the ease of use of their websites and not the service they provide.
> Especially if you haven't ordered any services from them.  I'm not
> defending anyone here just pointing out some flaws in this "grading."
>
> On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com> wrote:
>> One of our readers made a request that we review Cybertrust
>> ("http://www.cybertrust.com"). Cybertrust was recently acquired by 
>> Verizon
>> and as a result this review was a bit more complicated and required a lot
>> more digging to complete (In fact its now Cybertrust and Netsec). Never 
>> the
>> less, we managed to dig information specific to Cybertrust out of Verizon
>> representatives. We would tell you that we used the website for 
>> information
>> collection, but in all reality the website was useless. Not only was it
>> horribly written and full of marketing fluff, but the services were not
>> clearly defined.
>>
>> As an example, when you view the Cybertrust services in their drop down 
>> menu
>> you are presented with the following service offerings: Application
>> Security, Assessments, Certification, Compliance/Governance, Consulting,
>> Enterprise Security, Identity Management Investigative Response 
>> /Forensics,
>> Managed Security Services, Partner Security Program Security Management
>> Program, and SSL Certificates. The first thing you think is "what the 
>> hell?"
>> the second is "ok so they offer 12 services".
>>
>> Well as you dig into each service you quickly find out that they do not
>> offer 12 services, but instead they have 12 links to 12 different pages 
>> full
>> of marketing fluff. As you read each of the pages in an attempt to wrap 
>> your
>> mind around what they are offering as individually packaged services 
>> you're
>> left with more questions than answers. So again, what the hell?
>>
>> Here's an example. Their "Application Security" service page does not
>> contain a description about a Web Application Security service. In fact, 
>> it
>> doesn't even contain a description about a System Software/Application
>> security service. Instead it contains a super high level, super vague and
>> fluffy description that covers a really general idea of "Application"
>> security services. When you really read into it you find out that their
>> Application Security service should be broken down into multiple 
>> different
>> defined service offerings.
>>
>> Even more frustrating is that their Application Security service is a
>> consulting service and that they have a separate service offering called
>> Consulting. When you read the description for Consulting, it is also 
>> vague
>> and mostly useless, but does cover the "potential" for Application 
>> Security.
>>
>> So, trying to learn anything about Cybertrust from their web page is like
>> trying to pull teeth out of a possessed chicken. We decided that we would
>> move on and call Cybertrust to see what we could get out of them with a
>> conversation. That proved to be a real pain in the ass too as their 
>> website
>> doesn't list any telephone numbers. We ended up calling verizon and after
>> talking to 4 people we finally found a Cybertrust representative.
>>
>> At last, a human being that could provide us with useful information and
>> answers to our questions about their services. We did receive about 2mb 
>> of
>> materials from our contact at Cybertrust, but the materials were all
>> marketing fluff, totally useless. That being said, our conversation with 
>> the
>> representative gave us a very clear understanding of how Cybertrust 
>> delivers
>> there services. In all honesty, we were not all that impressed.
>>
>> Cybertrust does perform their own Vulnerability Research and Development 
>> (or
>> so we were told) under the umbrella of ICSAlabs which they own. Usually 
>> we'd
>> say that this is great because that research is often used to augment
>> services and enhance overall service quality. With respect to Cybertrust, 
>> we
>> couldn't find out what they were doing with their research. They just 
>> told
>> us that they don't release advisories and then refused to tell us what 
>> they
>> did with the research.
>>
>> When we asked them about their services and testing methodologies, we 
>> were
>> first told that they couldn't discuss that. We were told that their
>> methodologies were confidential. But after a bit of Social Engineering 
>> and
>> sweet talking we were able to get more information...
>>
>> As it turns out, the majority of the Cybertrust services rely on what 
>> they
>> say are proprietary automated scanners which were developed in-house. 
>> Their
>> methodology is to run the automated scanners against a specific target or
>> set of targets, and then to pass the results to a seasoned professional.
>> That professional then verifies the results via manual testing and 
>> produces
>> a report that contains the vetted results.
>>
>> This methodology doesn't really offer any depth and doesn't do much to 
>> raise
>> the proverbial security bar. In fact, it is only slightly better than
>> running a Qualys scan, changing the wording of the report, and delivering
>> that. Quality methodologies should contain no more than 20% automated
>> testing and no less than 80% manual testing. Vulnerability discovery 
>> should
>> be done via manual testing, not just via automated testing.
>>
>> In defense of Cybertrust, they did say that they would test in accordance
>> with the customers requirements. They also did say that if the customer
>> wanted 100% manual testing that they would do it. If they want 100%
>> automated "rubber stamp of approval" testing they would do that too. 
>> Saying
>> it is a lot different than doing it though and we weren't impressed with
>> their standard/default testing methodology as previously mentioned.
>>
>> It is important to note that Cybertrust is also a full service security
>> provider. They offer a wide range of services from supporting secure 
>> product
>> development services, to security testing, and even forensic services. 
>> With
>> that said, their services do not seem to be anything special. In fact, 
>> they
>> seem to be just about average short of their horrible website and
>> overwhelming marketing fluff.
>>
>> It is our recommendation that you choose a different provider if you are
>> looking for well defined, high quality services. Cybertrust is cloaked in 
>> a
>> thick layer of marketing fluff and frankly doesn't seem to be very easy 
>> to
>> work with. That being said, they were also not easy to review. If you
>> disagree with this post or have worked with Cybertrust in the past, then
>> please leave us a comment. We're going to give Cybertrust a "C" but if 
>> you
>> can convince us that they deserve a different grade then we'll revise our
>> opinion.
>>
>> Thanks for reading.
>>
>> --
>>  Posted By secreview to Professional IT Security Providers - Exposed at
>> 12/19/2007 07:32:00 PM
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ