| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Dec 2007 16:49:30 -0800 From: coderman <coderman@...il.com> To: SecReview <secreview@...hmail.com> Cc: secreview.exposed@...il.com, full-disclosure@...ts.grok.org.uk Subject: Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - ) I've edited this document to remove ambiguous and self aggrandizing language. On Dec 20, 2007 4:19 PM, SecReview <secreview@...hmail.com> wrote: > 1.) What are your qualifications for reviewing these companies? > > We are a team of security professionals that have been performing a > wide array of penetration tests, vulnerability assessments, web > application security services etc. "We've downloaded backtrack and eEye warez. Can also run nmap." > One of our team members has > founded two different security companies both of which have been > very successful and have offered high quality services. "One of our members is n3td3v. A blog counts as a business if it hosts google ads." > Yes we have > all sorts of pretty little certifications, but those don't really > matter. "We have at least two of something in in this list: CPA, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GCIA, GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ" > We review companies based on what we are given by the companies and > based on what we can find on the internet, with Google, etc. Our > reviews are only as good as what we can find. "Our reviews can only detect obvious crap. Any positive mention is meaningless." > That is why each > review is open for debate and why we form an opinion that can be > changed. To date, we've had no complaints about our reviews and for > the most part according to readers have been spot on. "Complaints? They don't exist unless we say so!" > We do have a scoring system but are still refining it. We are > trying to find a way to set more clear boundaries between scores so > that scores are based more on fact than opinion. "We are having trouble defining objective measures for useless information. For some reason this results in useless metrics; we are confused, but working diligently on this problem." > Right now, they > are mostly based on opinion and what we as professionals consider > quality services. "For now we use the 'ooh shiny!' method, and don't forget, we can still detect obvious crap. (and save you 2.7 minutes surfing that site yourself. oh wait, real security professionals don't find audit teams from google ads. nevermind!)" > We are for all intents and purposes akin to a prospective client > looking for an assessment. What we see during a review is what a > prospect would see if they took the time to really dig in and > analyze security companies. Our opinions are non-biased, all > companies start with an A. "We are akin to a prospective client cold calling some company found on the web and asking for sample reports. This saves you the time of asking for sample reports to see if they really have them. If you were to really dig in, and read these reports, you might discover the obviously crap companies as effectively as we do. (oh wait, real security professionals don't find audit teams from google ads. nevermind!)" --- now for my review: Sec Review Sucks sucks! while sec review is not as useful and informative as may be desired, they can still flag the obviously crap for you, and save you 2.7 minutes of surf time better spent on pr0n. Sec Review: D- Sec Review Sucks: F _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists