Re: Pentest Letter of Achievement/Certificate

From: blowfish 448 (
Date: 07/14/05

  • Next message: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"
    Date: Thu, 14 Jul 2005 08:09:07 +0200


    I won't go that far to say they are looking for golden stars and blinking
    seals on the web site
    or anything. They merely need such letter as a statement to their customers
    to show they take
    security serious and their environment/applications are verified according
    to a certain
    procedure/methodology prior to launching it. The final report however they
    do not want to disclose
    due to the sensitive, confidential information it contains. Also do they
    accept and understand such
    statement does not provide any warranty whatsoever and only represents a
    certain situation in time.


    >From: "R. DuFresne" <>
    >To: <julie.holmwood>
    >CC: "blowfish 448" <>,<>
    >Subject: Re: Pentest Letter of Achievement/Certificate
    >Date: Thu, 14 Jul 2005 05:45:52 +0100
    >Hash: SHA1
    >Isn;t the final report pentesters report what is being asked for here?(0)
    >Or are companies really hung up on and seeking gold stars to post in public
    >areas and at the bottom of stationary? Kinda like the certifications that
    >M$ got for NT back in the late 90's I guess, meaningless in any env other
    >then the single system they had tested....
    >Ron DuFresne
    >(0) in most cases that pentesters report is likely to be backed with the
    >corp documentation showing how they mitigated the issues found during the
    >pentest. Afterall, few companeis should ever comeout of a thourough
    >penttest unscathed. So they document how they corrected what was
    >discerovered, and perhaps have another outside party verify the
    >'corrections'. but gold starts and report cards, or neat little
    >certificates in frames? <shakes his head>
    >On Tue, 12 Jul 2005, John Kinsella wrote:
    >>I think might cover what you're looking
    >>On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
    >>>any of you know if any 'standards' or accepted guidelines exist for a
    >>>letter or certification
    >>>of succesfull resistance to Penetration Testing/Vulnerability Assessment.
    >>>Customers often
    >>>demand to have a proof delivered by their Penetration Test service
    >>>to show to their
    >>>partners and customers.
    >>>The idea of course is not to disclose sensitive information but to
    >>>the environment tested and how - according to which methodologies and the
    >>>attack vectors
    >>>tested for.
    >>>Thanks in advance
    >- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > admin & senior security consultant:
    >Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
    >...We waste time looking for the perfect lover
    >instead of creating the perfect love.
    > -Tom Robbins <Still Life With Woodpecker>
    >-----BEGIN PGP SIGNATURE-----
    >Version: GnuPG v1.2.4 (GNU/Linux)
    >-----END PGP SIGNATURE-----
    >This email has been verified as Virus free
    >Virus Protection and more available at

  • Next message: blowfish 448: "Re: Pentest Letter of Achievement/Certificate"

    Relevant Pages

    • Re: bound object frame: picture
      ... Ron I'm glad you are making progress with your issue. ... I am a rancher and a retailer, not a database expert. ... If you follow the above steps and your Report still fails then ...
    • Re: Max satisfied with apology - Feb 14 Meeting cancelled
      ... In the report they clearly state that they started off with 14 ... Ferrari data, in a second that they ... They don't finger Ron Dennis in that report, ... Some person or persons amongst the McLaren engineering staff ...
    • Re: Southwest Qualifier Tournament Report
      ... The report will be archived on the vtesinla ... so he starts the 'party grande', leaning heavily on Ira's pool supply. ... I woke Ira and attempted to ... In David's defense, he was thinking that I'd be able to outlast Ron, ...
    • The Attack on the Liberty: The Untold Story of Israels Deadly
      ... California Literary Review, James Abourezk, Cristol is a Federal Judge in Florida, and Ron was in the Israeli military and was tasked to investigate the incident. ... U.S. and friendly nation laws prohibit fully ... with our laws this report cannot be provided in ...
    • Re: Printing data validation scenarios
      ... Hi Ron, thanks for the offer, but I would get into some pretty decent trouble ... My hope for this was to create a standard report that would ... and a data validation listbox to choose which facility to display. ...