Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- From: <elazar@xxxxxxxxxxxx>
- Date: Thu, 20 Dec 2007 15:39:20 -0500
I don't mind answering some questions, however we had used them for
a very basic scan so I couldn't tell you anything as far as their
more in-depth services.
Elazar
On Thu, 20 Dec 2007 14:45:04 -0500 SecReview
<secreview@xxxxxxxxxxxx> wrote:
Awesome,
So you were an RA Security customer, would you be willing to
answer a few questions that we have so that we can revise our
post?
We don't want to post anything that is not accurate. Your help
would be very much appreciated and we'd keep you anonymous.
On Thu, 20 Dec 2007 11:49:23 -0500 elazar@xxxxxxxxxxxx wrote:
"Public facing websites are usually outsourced to professional
graphics
arts firms and developed under the supervision of the Director of
Business Development. It's usually a solid pile of fluffythe
buzzwords and crap."
Its sad how true this is. What makes it worse is half the time
Director of Business Development doesn't even understand what the
company does. Unfortunately, in many companies, there is a huge
disconnect between the marketing side and those who actually
deliver the services. Someone had mentioned before that reviewing
companies based on their site was like reviewing a restaurantthis
based
on their menu. Actually, this is worse, because at least at a
restaurant, generally, what is on the menu is what is served,
isn't always the case with a corporate website. You have a very
good idea, however, trying to cut through marketing fluff on
website isn't going to leave you with much of anything because
there is nothing there to begin with.
On a side note, you had reviewed RA Security. My company has used
them in the past, and I do agree that their site may be a bit
disorganized but I have found them to be very professional and
easy
to work with.
Elazar
On Thu, 20 Dec 2007 10:20:57 -0500 trains <trains@xxxxxxxxxxxxxx>
wrote:
I am a pentester and IDS/IPS administrator for a large-ish
security
firm. None of our tech staff worked on the corporate web site.
ofWe
are too busy, and frankly, it's just not my bag.
Public facing websites are usually outsourced to professional
graphics
arts firms and developed under the supervision of the Director
and
Business Development. It's usually a solid pile of fluffy
buzzwords
and crap.
I like where you are going, you're just not there yet. Your
methodology is weak. You need to review the "actionability" of
the
deliverables. Ask for sanitized sample reports.
The argument of who has the most leet hackers is unmeasurable
needs
pointless. For commercial security firms the real criteria
toyour
be focused on the business process that helps their clients
improve
their overall security posture. Not just, "I found an XSS on
site", but how is the security infrastructure being managed and
improved.
Try looking at the "actionability" aspect of the companies'
deliverables and see if you don't get better findings.
Some possible things to look for:
Do they include a screen shot for every finding?
Do they correlate each finding to a specific spot of code in
the
vulnerable app?
Do they work with your developers to assist with remediation
and
permanent resolution?
How much app dev experience do the pentesters have?
Do they have Language and framework specialists on staff to
review
each finding and make relevant remediation recommendations?
Do they meet with the security team, the networking team, the
Z
server support team and the developer team separately in break-out
sessions with specialists in each area?
Does every finding include a recommendation for permanent
remediation?
Please get better. I like where you are going, you're just not
there yet.
t.r.
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services@xxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Click to get free info on remodeling your kitchen.
http://tagline.hushmail.com/fc/Ioyw6h4dczm28j7Wd3MPtFMlayFrrtoAqmD
rCwLiFsZCzCbZLKzQs/Regards,
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
The Secreview Team
http://secreview.blogspot.com
--
Click here to become a professional counselor in less time than
you think.
http://tagline.hushmail.com/fc/Ioyw6h4fPKE3wNePOtuzWxeloWYVf2nXDva4
1gAKBmbvB4fgeeaWMy/
--
Click now to save up to 70% on picture frames!
http://tagline.hushmail.com/fc/Ioyw6h4dcDGdkE5d5GgWPjhvXCykvouVwGm5nrVt0wrucMQYvd0Z6Y/
Professional IT Security Service Providers - Exposed
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- Next by Date: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- Previous by thread: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- Next by thread: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- Index(es):
Relevant Pages
|
