Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: RE: Penetration Tests

RE: Penetration Tests

Gary Crumrine (gcrumus-state.gov)
Mon, 29 Sep 1997 10:58:58 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jyri Kaljundi: "Re: firewalls and the incoming traffic problem"
Previous message: Bennett Todd: "Re: firewalls and the incoming traffic problem"
In reply to: Itai Dor-on: "RE: firewalls and the incoming traffic problem"
Next in thread: Andreas Siegert: "RE: Penetration Tests"

I have been reading this thread with enthusiasm since it
started. I agree mostly with everything that has been
said, and what I disagree on is not worth mentioning, since
everyone's experiences are different. What I woul slike to
throw out is another thought that is in part related, but
takes this one step farther.

I have noticed, that for the most part, everyone who is
trying to muscle in to the security market today seems to
be zeroing in on the penetration end of the spectrum. This
to me seems to be the worst place to start out. I will
admit that it is quick profit get in and get out type of
work, but in reality, it just doesn't fit. It gives you a
sense of security, but we all know that it is in the art of
interpretation of the results that the real science of
security expertise begins. Some of our brethren may not be
doing us a favor by this tactic, and may in the end harm
our industry's credability.

I believe, that if you truely want to have the maximum e
ffect on the outcome of a customer's threat management
program, as security experts, we need to be involved from
the beginning, doing the risk analysis, looking at business
practices and verifying services verses a true business
need, helping the customer develop a comprehensive, but
more importantly an enforceble security policy prior to
recommending the flavor of the month guard device. This
process builds a relationship with the customer that if
done correctly, will result in follow on work etc... Read
that increased profits... Remember, it is not the box that
is important (Whoa, settle down resellers) it is the
program that fails, or succeeds.

The customer is the one who will ultimately win or lose in
the end. Wouldn't you want to employ the services of
someone or an entity that has a stake in the outcome?
Sure, you can go to a third party to verify your work, I
even recommend it, but do not think that the fast profit
generated by the big guns is by any means the only option.

It has been a thrill to watch the big accounting firms
bidding for every so called expert and also watching the
lemming effect on the industry. Good, bad or ugly, they
are making a difference.

Thoughts? Comments? Flames?

Gary

Next message: Jyri Kaljundi: "Re: firewalls and the incoming traffic problem"
Previous message: Bennett Todd: "Re: firewalls and the incoming traffic problem"
In reply to: Itai Dor-on: "RE: firewalls and the incoming traffic problem"
Next in thread: Andreas Siegert: "RE: Penetration Tests"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT