AW: Pentesting tool - Commercial

Salve,


-----Ursprüngliche Nachricht-----
Von: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] Im
Auftrag von Andre Gironda
Gesendet: Dienstag, 4. März 2008 22:05
An: pen-test
Cc: Trygve Aasheim
Betreff: Re: Pentesting tool - Commercial

On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve@xxxxxxxxxxxxx>
wrote:
This might be a bit hard for you to understand, I see that, but just

<snip>


The deliverable shouldn't be awareness - it should be workable
solutions. Most of the time - these aren't technical at all.
Strategy consulting is a good start to any project of this nature, and
while the cost might be the same as a two-week assessment, it only
takes up 1-2 days of a client's time, which really equates to much
better savings for the client because a two-week assessment is a large
investment for them.

I would hit a few key areas:
1) Software acquisition. How does the client acquire new software?
Does it come with hardware out-of-the-box (e.g. installed on a
router)?
2) Software update. How does the client upgrade/update their software?
3) Software configuration. How does the client configure their
software? How do they handle changes?
4) Software development. Does the client write their own software?
What processes do they use?

I'm fairly impressed with the BITS Shared Assessments Program
Standardized Information Gathering questionnaire as a starting point,
which is also available in a SIG-Lite version. Note that you don't
have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
or PCI-DSS.


I totally agree with you on this. A penetration test is good as a last touch to it-security, but in a not very security aware company, the real problems show up in a one hour interview more easily. Many customers buy the pentest, because they are afraid to talk about their organizational difficulties like patch-, user-, password-, service-management. That's where the exploits the hacker will find hail from and that's where they need to be fixed. Like when you pentest a company, deliver the report and while being treated to a tour of the premises, see that the server room has normal windows at level with the ground ...

We usually do an assessment based on http://www.bsi.de/english/gshb/index.htm , they have the only standard that covers physical, logical, organization security and it is very thorough, down to earth and with loads of detailed security measures to compare against.

--
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG Phone: +49 30 533289-0
Bouchéstrasse 12 Fax: +49 30 533289-99
D-12435 Berlin Internet: http://www.hisolutions.com
_______________________________________________________

Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB:

Sitz der Gesellschaft / registered office:
Berlin

Handelsregistereintrag / Commercial register:
Amtsgericht Berlin Charlottenburg - HRB 80155

Vorstand / Management Board:
Torsten Heinrich, Timo Kob, Michael Langhoff

Vorsitzender des Aufsichtsrates / Chairman of the supervisory board:
Prof. Dr. Klaus Müller


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Pentesting tool - Commercial
    ... For the assessment work I've done in the past two years on ... Comparing GFI LANguard Network Security Scanner 8 to Qualys ... How does the client acquire new software? ... vulnerability research businesses, and "security" consulting companies ...
    (Pen-Test)
  • Re: Access complains of duplicate key
    ... one-to-many referential integery, and set the field indexed, no duplicates? ... There really is only one assessment per client. ... with the same primary key value in each table. ...
    (microsoft.public.access.formscoding)
  • Re: Access complains of duplicate key
    ... I think perhaps long ago when we began designing this database there were ... There really is only one assessment per client. ... The main data entry form has lots of tabs; the first two tabs look at data ...
    (microsoft.public.access.formscoding)
  • Re: Access complains of duplicate key
    ... Call them Client and Assessment. ... The main data entry form has lots of tabs; the first two tabs look at data ... with the same primary key value in each table. ...
    (microsoft.public.access.formscoding)
  • Re: More HMRC incompetence
    ...  It gets sent to the registered office ... (accountants address) ... and so the agent authorises themselves and the ... client is completely oblivious. ...
    (uk.business.accountancy)
Loading