Re: My Frustrations





: I recently wrote this blog entry and wanted to get some comments from
: readers of this list. I'm frustrated with the caliber of the people that
: are offering security services and posing as experts, thats the subject
: of the post. Please comment, insult, whatever... I'm interested.
:
: http://snosoft.blogspot.com/

You are preaching to a (very small) choir here. The kind of choir where
everyone thinks they are a part of.

First, this problem isn't new [1]. The industry has had its fair share of
charlatans and frauds over the years. In the last five years, the number
of posts to this list and others is bordering on absurd, that start out
with "i've been [hired|told|contracted] to do a pen test of our
[network|application|physical] security, where do i begin?" Many of the
posts are done from gmail accounts that have no obvious association with a
name or company, for obvious reasons.

Second, the number of times you see these questions come from 'certificed'
professionals is silly. I frequently get forwards from lists full of
CISSPs that post this kind of question, begging the world to wonder why
anyone thinks that certification holds water. If not certified, from
people with 'security' and/or 'engineer' in their official title. Some
posts suggest a company decided to tell a junior analyst to do a full
blown pen-test, likely to save a few bucks. Others, the wannabe-pentester
is definitely over eager and grossly exaggerating their claims of being
qualified.

Last, it's only going to get worse.

- jericho


[1] http://attrition.org/errata/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • RE: I want the PT list back....
    ... of the number of posts asking "What tool does X" questions. ... I've been in the IT sector and security in particular for a long time and I ... where new to pentesting, or new here once. ... don't really follow the security lists and closely as I used ...
    (Pen-Test)
  • Re: [Full-Disclosure] Feeding Stray Cats (off-topic, but what isnt on this list?)
    ... took the time to determine who has sent or replied to off-topic posts, ... Trying to create a filter that sorted out legitimate ... by ignoring stuff that belongs on security-basics type lists. ... OIT Security and Assurance ...
    (Full-Disclosure)
  • Re: My Frustrations
    ... I do particularly agree about the certification comment that you've made. ... On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote: ... I frequently get forwards from lists full of ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: My Frustrations
    ... Or how about the Significance of CUA. ... I do particularly agree about the certification comment ... On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote: ... I frequently get forwards from lists full of ...
    (Pen-Test)
  • RE: My Frustrations
    ... Or how about the Significance of CUA. ... I do particularly agree about the certification comment ... On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote: ... I frequently get forwards from lists full of ...
    (Pen-Test)