Re: WebServices Testing



On Thu, 5 Oct 2006 14:56:25 -0400
"dallas jordan" wrote
I am tasked with doing some security testing on a new web services
application our client is rolling out. I have never really tested a
web service app before

So...
they pay you to do something you know hardly anything about?

and instead of getting someone who does know how to, you prefer to fumble a bit.
doesnt seem to take much to get those 'GCIH, CISSP' certificates.

sorry about the flame..
But,,, this is why the infosec bizz has become cowboy territory rather then a serious
profession.
and it ticks me off a bit, knowing that those who have put in the effort of learning how
it all really functions inside, are getting a bad name from the "just sell it first, and
then figure out later how to do it" types.

the times that we have looked at companies after they where certified secure, by cowboy
companies, and found endless amounts of flaws and serious holes, seems unreal, but is
fact.

but then again, as mentioned before, most companies do not want to hear how bad it
really is, and rather pay a little extra to get a 'filtered' report that they can proudly
show at their board meetings, and then pray to Loki that no one will find out about the
actual state of their infrastructure.

to sum this up, i think that the cowboys are responsible for the very low standard of
infosec awareness on this planet, and they profit from keeping it so.

and again, the joe and betty in the street are the victim, because their privacy
sensitive info and often their savings are compromised at some point, as we keep reading
in the media.
and those reports never say if that company or organisation was certified by any of the
so called security companies.

maybe its time that each security certification selling company keeps a public list on
their website with all the names they sold them to.
so we all can see what the certification is really worth, but more to encourage those
companies to stop selling hot air.

Cheers, big ears.
*Anna.




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



Relevant Pages

  • Risks Digest 24.59
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ...
    (comp.risks)
  • RE: CISSP-ISSMP
    ... the materials and touched the technology. ... trough a certification process and get certified. ... I am proud to be a certified security professional:) ... Certs are sort of new to the scene. ...
    (Pen-Test)
  • RE: CISSP-ISSMP
    ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #649 - 5 msgs
    ... Firewall disablers ... Send Full-Disclosure mailing list submissions to ... RE: Security Certifications ... Security Certification Consortium has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security. ...
    (Full-Disclosure)
  • Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer
    ... and you meet with the technical lead of the group, this certification ... don't have any security certs or experience in the area. ... Download FREE whitepaper on how a managed service ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)