OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Verify Your Security Provider -- The truth behind manual testing.

From: Adriel T. Desautels (ad_listsnetragard.com)
Date: Fri Jul 17 2009 - 12:44:13 CDT

Tim,
        I partially agree with what you've said here, people need a way
to verify their vendor and their vendor's respective teams. Too many
vendors claim that they do this and that, but when it comes time to work
they've got no talent to show. "All hat and no cattle" as a matter of
speaking.

        Anyway, I didn't say Only use facebook did I? Use any means
possible. Bottom line is though, if the company has researchers, then
the company will have published advisories. If they've done that, then
you should be able to get a good idea of their capability by doing
research on their research.

        Manual testing is research after all, and its not all created equal.
Lots of vendors who claim that they do manual testing, don't. They just
verify that a service that was reported as vulnerable by nessus, is
actually
up and running. If it is running then it passes their "manual test".
Thats a joke
if you ask me.

        Btw, if you comment on the blog, I might post it. :)

On Jul 17, 2009, at 1:20 PM, Tim wrote:

>
> Hi Adriel,
>
> I agree with the vast majority of what you're saying. I work as an
> application penetration tester, amongst other things, and the crew I
> work with is very hands-on. On numerous occasions I've performed
> testing on environments that had previously been tested by other
> vendors, only to find dozens of vulnerabilities that they hadn't found
> because of the problems you mention with highly automated testing.
>
> However, I take issue with this:
>
>> • Ask them for the names of their security experts and then use
>> tools
>> like Google, LinkedIn, Facebook and PIPL to do research on those
>> experts. If nothing comes up then chances are their experts aren’t
>> experts at all.
>
> Do I really need a Facebook page to be a security expert? There are
> plenty of very sharp testers out there who don't relish the lime light
> and don't spend their free time blogging about the little hacks they
> found this week. Also, many might post under pseudonyms to help
> separate their private research activities from work-related ones.
>
> That's not to say doing background research on their consultants isn't
> useful, but you can't rely on experts always showing off their stuff.
>
> tim
>

        Adriel T. Desautels
        ad_listsnetragard.com
         --------------------------------------

        Subscribe to our blog
         http://snosoft.blogspot.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------