|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Anonimized reply
From: Daniel (deeper
gmail.com)
Date: Tue Aug 24 2004 - 05:42:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Actually this was one of the reasons why i went about creating the
pentest checklist for OWASP
http://www.owasp.org/documentation/testing/application.html
Auditors like KPMG/D&T and others dont have people on board who are
technical and often rely on reports and other forms of documents from
"professionals"
The idea behind the checklist was that the auditor could request to
see what was done with regards to their web application security
review and then make a judgement to see if the company actually did
take it seriously or didn't
Obviously time will tell if its of any use
Daniel
On Tue, 24 Aug 2004 06:11:13 -0400, Dave Aitel <daveimmunitysec.com> wrote:
>
> Mike Bailey(mike.baileysunbladesecurity.com)Mon, Aug 23, 2004 at
> 11:53:36PM -0400:
> > Dave's Direction 2: I think we're already there. Banking for example,
> If you
> > look at the 15,000+ banks out there you will find a very small
> percentage
> > that really want to be secure or even know what insecurities they
> have. They
> > want to know the FFIEC is not going to lower their rating (or worse
> let
> > their customers know) due to findings that don't meet the assessment
> > criteria the FDIC, OCC and Federal Reserve examiners are looking for.
> I'm
> > sure it will be the same for HIPPA as soon as they get an federal
> level
> > audit division for it. It's my opinion that companies want to know
> they
> > won't get in trouble more so than protecting themselves and others
> from
> > security incidents.
>
> The regulators are in a really bad position right now to determine
> security insecurities as they are not allowed to do any more than ask
> questions and review reports. I was shocked to find this out, but they
> are not allowed to use any tools or perform hands-on validation of any
> kind. They are just there to review audit reports done by 3rd parties
> and ask follow up questions. These audits range in scope from port
> scans, penetration tests, security validation tests, to SAS70 reports.
>
> Based on their inability to verify information gathered it would only be
> from gross negligence that any financial site could be poorly rated by
> the regulators.
>
> -anon
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://www.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://www.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]