Re: Canned audits

ROB DIXON wrote:
Hi All,
We have had many audits in the past by 3 party vendors. My company is finally interested in performing some of these audits in house and a little more frequently than the annual 3rd party audits.
My question is, is there a software package, a "canned" audit that can be performed? Basic info gathering questions regarding authentication controls, network documentation(how and where it is stored), question that should be asked regarding wireless AP and other basic security questions?

OSSTMM + OWASP

http://www.isecom.org/osstmm/

http://www.owasp.org/index.jsp

You can also check out ISSAF:

http://www.oissg.org/content/view/71/71/

+ A couple of these:

http://www.darknet.org.uk/2006/03/10-best-security-live-cd-distros-pen-test-forensics-recovery/

Of course bear in mind whatever tools you use, you need the pre-requisite knowledge to interpret the results (Nessus for example gives a lot of false positives).

--
Gareth Davies - BS7799 LA, OPST

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia Phone: +603-6203 5303 or +603-6203 5920

www.mynetsec.com


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx
------------------------------------------------------------------------------

Relevant Pages

  • Re: Canned audits
    ... I've been doing Testing In-house for a long time, and although I have yet to find anything that does all "canned" audits. ... Concerned about Web Application Security? ... Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)
  • Enterprise Trainaing Programs
    ... After having several pen-tests and audits performed for me I see that I need to do more training for my users.. ... THis is really apparent for phishing security knowledge... ... How effective is CBT training of the user population using a LMS package? ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Enterprise Trainaing Programs
    ... After having several pen-tests and audits performed for me I see that I need to do more training for my users.. ... Normally a security director orders this information from independent consulting companies. ... You have an option to go with a managed service or an enterprise software. ... Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. ...
    (Pen-Test)
  • RE: Canned audits
    ... scanners on the Internet. ... Subject: Canned audits ... penetration testing and vulnerability management needs. ... Download FREE whitepaper on how a managed service can help you: ...
    (Pen-Test)
  • Re: I need a reputable company to do a external firewall audit
    ... I'm guessing that someone other than the same company that sets up the security should test the security :-) ... You are the only person I remember claiming to have been through SOX audits. ... and their parent company, which owns 30 companies, needs a new firewall ... Calling an illegal alien an "undocumented worker" is like calling a ...
    (microsoft.public.windows.server.sbs)