Re: WebServices Testing

On Thu, 5 Oct 2006 14:56:25 -0400
"dallas jordan" wrote
I am tasked with doing some security testing on a new web services
application our client is rolling out. I have never really tested a
web service app before

they pay you to do something you know hardly anything about?

and instead of getting someone who does know how to, you prefer to fumble a bit.
doesnt seem to take much to get those 'GCIH, CISSP' certificates.

sorry about the flame..
But,,, this is why the infosec bizz has become cowboy territory rather then a serious
and it ticks me off a bit, knowing that those who have put in the effort of learning how
it all really functions inside, are getting a bad name from the "just sell it first, and
then figure out later how to do it" types.

the times that we have looked at companies after they where certified secure, by cowboy
companies, and found endless amounts of flaws and serious holes, seems unreal, but is

but then again, as mentioned before, most companies do not want to hear how bad it
really is, and rather pay a little extra to get a 'filtered' report that they can proudly
show at their board meetings, and then pray to Loki that no one will find out about the
actual state of their infrastructure.

to sum this up, i think that the cowboys are responsible for the very low standard of
infosec awareness on this planet, and they profit from keeping it so.

and again, the joe and betty in the street are the victim, because their privacy
sensitive info and often their savings are compromised at some point, as we keep reading
in the media.
and those reports never say if that company or organisation was certified by any of the
so called security companies.

maybe its time that each security certification selling company keeps a public list on
their website with all the names they sold them to.
so we all can see what the certification is really worth, but more to encourage those
companies to stop selling hot air.

Cheers, big ears.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.