Dear Matt,

There are loads of excellent companies who can do audits. For example:
http://www.madison-gurkha.com is a Dutch think tank. Maybe you should
inquire with them, they will be able to assist you. They offer their
services to foreigners as well.

Keep in mind that there are also a lot of 'security experts' out there whose
only method of auditing means (trying to) connect with netcat to one of your
systems, if that fails, they label your systems as 'secure'. They claim to
do in-depth audits......yeah right. Rest assured, this is not the case with
the folks at Madison-Gurkha.

You should decide if you want to do an inside audit (give the 'attacker' the
layout of your network, and let it be examined for weaknesses from the
inside out) or an outside audit (let the 'attacker' probe your perimeter
untill they find something and possibly gain entry). You might want to
consider both, but if you want to do it by a reputable firm, be prepared to
pay up.....a lot.

With kind regards,
Dennis

----- Original Message -----
From: "Matt Hodge" <securityhodgefamily.org>
To: <focus-mssecurityfocus.com>
Sent: Friday, November 01, 2002 21:43
Subject: Certification for Win2k Web Servers

>
>
> I work at a company that offers web services to industries that are fairly
> paranoid about security. With each customer we encounter they seem to
> wince at hosting their data through our servers instead of hosting it
> themselves. So we are repeatedly going through security audits of various
> types.
>
> My question is this, are there any standards or companies that can do an
> audit on a regular basis, who has enough standing in the community that
> other companies will take their audit instead of doing their own?
>
> We have already hired independent companies to do audits and we always
> turn out fine but from a sales point of view it is becoming a major hurdle
> to have to jump over each time.
>
> Thanks
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]