Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Adriel T. Desautels (ad_listsnetragard.com)
Date: Sat Dec 06 2008 - 09:59:27 CST
Paul, very interesting perspective you have there. My comments are
On Dec 6, 2008, at 8:07 AM, Paul Melson wrote:
> On Fri, Dec 5, 2008 at 7:33 PM, Adriel T. Desautels
> <ad_listsnetragard.com> wrote:
>> [...] I do not respect people who offer protective
>> security services when they don't know what they are doing.
>> That in my opinion is nearly criminal because you are giving people
>> a false sense of
>> security. What are you going to say when they get hacked because
>> you missed
>> something absolutely obvious?
> First of all, I'm not jumping in to defend the guy that couldn't
> Google his way to a PoC for the XSS vuln he found. At the same time,
> your statement is worrisome. All pen-testers and pen-testing
> methodologies miss something eventually. Normally I'd ramble on about
> setting expectations, responsible consulting, yada yada yada, but I
> really want to get to...
>> People who pay security experts to do work should always be getting
>> quality work.
> I wholeheartedly disagree. Yes, I too dislike the fact that there are
> total novices working in the security field, many of whom give aspects
> of our industry a bad name. However, this is directly a result of
> clients not wanting to pay for expertise. PCI has done more in the
> past year to drive this than anything I've seen before, by making
> third-party testing an explicit requirement. At the end of the day,
> companies that hire security services deserve to get what they pay
> for, and nothing more. And so this guy's not really to blame.
> Instead, blame his clients, since they don't want to pay market rate
> or properly vet their testers. They just don't want the bank to turn
> their VeriFone* off
Point taken but I don't agree. We are the security experts and our
customers trust us to provide quality work. Our customers do not have
a way to weed out the "fake" providers from the real providers (aside
from a few white-papers on our website). As a real provider, I feel
that it is the responsibility of my company to educate customers about
what they are getting, its respective quality, and what it will do for
them. As a quality provider our core rule is that we do not ever
produce reports that are the product of automated scanners. To anyone
who knows what they are doing reports like that are a huge red flag.
So, yes this guy is to blame because he is a part of the problem. He
is out there offering services to "suckers" and taking their hard
earned money. Its not their fault that they are "suckers", we can't
expect all of them to be security experts. Mind you I'm not saying
that he's an ass or that he's unethical etc. I am saying that he
doesn't know what he's doing and shouldn't be offering security
services that will inedibly not protect his customers from people like
the people on my team, only with tainted ethics.
If you can't test at the same level of the threat that your customers
will face then you are in over your head. If thats the case then it is
your ethical responsibility to bow out, doing anything less is
outright unethical and a disservice.
> And then all of you that complain about novices in your field need to
> ask yourselves why they don't know the difference. What have you,
> your company, or any groups/associations you belong to done to help
> educate the larger IT marketplace that there's a significant
> difference in quality and effectiveness between pen-testers? If you
> don't have an answer for that question, maybe it's time to find one.
We as Netragard, have done quite a bit. In fact that is a component of
our mission. If you hit our website you can download to very high-
level white papers that are designed to educate customers before the
select or purchase services. We know what we're doing, people that
don't should bow out or start thinking like hackers. Am I harsh?
Certainly, but this isn't a game. We're here to protect people's
families and their income via proxy. If we fail to do our jobs then
people get hurt.
> * http://traceyray.com/images/printpak350_lg.jpg
Adriel T. Desautels
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now