RE: Pentest Letter of Achievement/Certificate

From: Moonen, Ralph (Moonen.Ralph_at_kpmg.nl)
Date: 07/13/05

  • Next message: Tom Van de Wiele: "Re: Pentest Letter of Achievement/Certificate"
    Date: Wed, 13 Jul 2005 09:14:09 +0200
    To: "blowfish 448" <blowfish448@hotmail.com>, <pen-test@securityfocus.com>
    
    

    Hi,

    No such standard exists, and if it did, it shouldn't. We also have
    clients that request such a thing but we do not give them anything like
    it because it is utterly useless (change 1 bit or discover 1 new vuln
    and any statement has become BS) and potentially a liability for the
    issuing party. Instead we try to educate the client on why it is useless
    and what they should do in stead (such as do a real audit and get an
    audit report or SAS70 report or TPA).

    Cheers!

    --Ralph

    -----Original Message-----
    From: blowfish 448 [mailto:blowfish448@hotmail.com]
    Sent: dinsdag 12 juli 2005 22:53
    To: pen-test@securityfocus.com
    Cc: blowfish448@hotmail.com
    Subject: Pentest Letter of Achievement/Certificate

    --- Virus checked / op virussen gecontroleerd ---

    Hi,

    any of you know if any 'standards' or accepted guidelines exist for a
    letter or certification of succesfull resistance to Penetration
    Testing/Vulnerability Assessment.
    Customers often
    demand to have a proof delivered by their Penetration Test service
    provider to show to their partners and customers.

    The idea of course is not to disclose sensitive information but to
    briefly describe the environment tested and how - according to which
    methodologies and the attack vectors tested for.

    Thanks in advance

    --------------------------------------------------------------------------------------------------------------------------------------------
    De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht.
    KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur.

    Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure.
    KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code.

    --------------------------------------------------------------------------------------------------------------------------------------------


  • Next message: Tom Van de Wiele: "Re: Pentest Letter of Achievement/Certificate"

    Relevant Pages

    • Re: The Art of (Killing) the Deal
      ... But, as I like to say, our biggest ... Your clients and customers are ... the hilt no matter how badly they screw up. ...
      (misc.invest.stocks)
    • The Art of (Killing) the Deal
      ... I usually write about investments. ... Your clients and customers are ... the hilt no matter how badly they screw up. ...
      (misc.invest.stocks)
    • Re: Anyway to make a paste special unformatted text single key stroke?
      ... Why does not Microsoft sets a web page poll to check out what customers ... > "out of the box" or "standard from the manufacturer". ... > to us on the Mac). ... Sub EditPaste() ...
      (microsoft.public.mac.office.word)
    • Re: Access 07 Contemplations
      ... The new owners received the restaurant ... previous or the new customers. ... creative and add features and remove them to serve their own ... Clients just have no where else ...
      (comp.databases.ms-access)
    • Re: How much is to much? Why should my clients have to pay again?
      ... > clients have had a problem with this new fangled validation tool. ... > I assume you mean you have had customers complaining they could not ...
      (microsoft.public.windowsupdate)