Re: WebServices Testing

*This message was transferred with a trial version of CommuniGate(tm) Pro*

On Fri, 6 Oct 2006 10:27:58 -0400
"Paul Melson" <pmelson@xxxxxxxxx> wrote:

-----Original Message-----
Subject: Re: WebServices Testing

So...
they pay you to do something you know hardly anything about?

I doubt the letter of intent puts it *that* way. :-)
;-)


but then again, as mentioned before, most companies do not want to hear
how bad it really is, and
rather pay a little extra to get a 'filtered' report that they can proudly
show at their board meetings,
and then pray to Loki that no one will find out about the actual state of
their infrastructure.

You're half right. I'm sure his client wants a report that says that their
network, their applications, their financials, and their manhoods are all
secure. But I doubt they're hoping nobody finds out the ugly truth about
their infrastructure because I would wager a guess that they have no idea,
either.
*humble salute*

correction/adition , If/when they find out, they will often not want to know in my
experience, and often make it not appear in their final version of the report.
i've been asked many times to take things out of reports, and just told them "you also
get a digital copy...." {hint}


to sum this up, i think that the cowboys are responsible for the very low
standard of infosec awareness
on this planet, and they profit from keeping it so.

I disagree. Customers that demand cheap, "teach-to-the-test" audits are
what make so-called cowboy project work possible.

do you think one should punish junkies rather then dealers ?
or... lock out the dealers and try to ensure no dope is required, by guiding the
potential junkies away from it.
;-P




In this case, I think it's unfair to impeach Dallas' skills or ethics.
Everybody has to learn some time, and let's not pretend that we've all been
auditing web services since day one.
nope.. 1st learned how to program from scratch such a service, on a few platforms.

I'll be the first to say it's not
something I've ever done. At least he knows what he doesn't know and is
asking for help now. Believe me when I tell you there are plenty of
consultants that would've just pointed Nessus at it and given them a clean
report or told them that they need to block ICMP timestamp requests.
:-))


I do, however, think it's crappy that his employer has put Dallas and their
client in a position to succeed poorly or fail well. If the client does
their homework and brings all of their resources to the table to assist in
the audit and remediation process, poor Dallas will be found out as having
no experience in this arena. If they don't the audit may go off without
incident, but the value and depth may be lacking also.
i think that the lad wants to run before he can walk
and should tag along with an experienced person before walking it alone.


But at least the important objective - the account manager making 7%
commission on a five-figure audit engagement - will be achieved. Not that
I'm jaded or anything.
*grin*


and again, the joe and betty in the street are the victim, because their
privacy sensitive info and
often their savings are compromised at some point, as we keep reading in
the media.

The botherders were going to do it anyway. At least now there will be a
class action lawsuit that they can get in on. :-)
:)


PaulM

*Anna

--
"The power of accurate observation is frequently called cynicism by those who don't have
it."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------