|
Full Disclosure
mailing list archives
Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )
From: "SecReview" <secreview () hushmail com>
Date: Thu, 20 Dec 2007 12:30:43 -0500
You obviously haven't a clue as to what you are talking about. Our
readers are customers that have used the service of the vendors
before. To date, they agree that our reviews have been accurate
and very fair.
In conjunction with that, our reviews are usually the product of
analysis done against materials provided by the vendor, including
sample reports. So, yes we do see the quality of their end
deliverable, not for all but for many.
On Thu, 20 Dec 2007 10:09:03 -0500 Kurt Dillard
<kurtdillard () msn com> wrote:
Because its absurd to write a review for a service without
actually
experiencing the service. The original poster's messages have only
had
entertainment value, they've had no value from an information
security
perspective. If you'd like to provide a link to your MSN profile
and
facebook pages I'll write up a resume for you. Does that sound
like a good
idea?
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
Epic
Sent: Thursday, December 20, 2007 11:56 AM
To: c0redump
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] [Professional IT Security Providers
-Exposed]
Cybertrust ( C + )
Isn't ANY review subjective to opinion? I do not understand the
basis of
this flame. It appears to me that a lot of the reviews on this
site offer
some great insight into the companies being presented. Granted
it is an
opinion, but that is what a blog is isn't it?
On 12/20/07, c0redump <c0redump () ackers org uk> wrote:
Exactly. Your 'grading' is based on your personal opinion.
Do us all a favour and get a proper job.
----- Original Message -----
From: "guiness.stout" <guinness.stout () gmail com>
To: <full-disclosure () lists grok org uk >
Sent: Thursday, December 20, 2007 2:05 PM
Subject: Re: [Full-disclosure] [Professional IT Security Providers
-Exposed]
Cybertrust ( C + )
I'm not really clear on how you are grading these companies.
I've had
no personal experience with them but I don't decide a companies
quality of work simply by their website and what information I
get
from some customer support person. These "grades" seem
pointless and
frankly unfounded. You should reword your grading system to
specify
the ease of use of their websites and not the service they
provide.
Especially if you haven't ordered any services from them. I'm
not
defending anyone here just pointing out some flaws in this
"grading."
On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com>
wrote:
One of our readers made a request that we review Cybertrust
("http://www.cybertrust.com";). Cybertrust was recently acquired
by
Verizon
and as a result this review was a bit more complicated and
required a lot
more digging to complete (In fact its now Cybertrust and
Netsec). Never
the
less, we managed to dig information specific to Cybertrust out
of Verizon
representatives. We would tell you that we used the website for
information
collection, but in all reality the website was useless. Not
only was it
horribly written and full of marketing fluff, but the services
were not
clearly defined.
As an example, when you view the Cybertrust services in their
drop down
menu
you are presented with the following service offerings:
Application
Security, Assessments, Certification, Compliance/Governance,
Consulting,
Enterprise Security, Identity Management Investigative Response
/Forensics,
Managed Security Services, Partner Security Program Security
Management
Program, and SSL Certificates. The first thing you think is
"what the
hell?"
the second is "ok so they offer 12 services".
Well as you dig into each service you quickly find out that
they do not
offer 12 services, but instead they have 12 links to 12
different pages
full
of marketing fluff. As you read each of the pages in an attempt
to wrap
your
mind around what they are offering as individually packaged
services
you're
left with more questions than answers. So again, what the hell?
Here's an example. Their "Application Security" service page
does not
contain a description about a Web Application Security service.
In fact,
it
doesn't even contain a description about a System
Software/Application
security service. Instead it contains a super high level, super
vague and
fluffy description that covers a really general idea of
"Application"
security services. When you really read into it you find out
that their
Application Security service should be broken down into
multiple
different
defined service offerings.
Even more frustrating is that their Application Security
service is a
consulting service and that they have a separate service
offering called
Consulting. When you read the description for Consulting, it is
also
vague
and mostly useless, but does cover the "potential" for
Application
Security.
So, trying to learn anything about Cybertrust from their web
page is like
trying to pull teeth out of a possessed chicken. We decided
that we would
move on and call Cybertrust to see what we could get out of
them with a
conversation. That proved to be a real pain in the ass too as
their
website
doesn't list any telephone numbers. We ended up calling verizon
and after
talking to 4 people we finally found a Cybertrust
representative.
At last, a human being that could provide us with useful
information and
answers to our questions about their services. We did receive
about 2mb
of
materials from our contact at Cybertrust, but the materials
were all
marketing fluff, totally useless. That being said, our
conversation with
the
representative gave us a very clear understanding of how
Cybertrust
delivers
there services. In all honesty, we were not all that impressed.
Cybertrust does perform their own Vulnerability Research and
Development
(or
so we were told) under the umbrella of ICSAlabs which they own.
Usually
we'd
say that this is great because that research is often used to
augment
services and enhance overall service quality. With respect to
Cybertrust,
we
couldn't find out what they were doing with their research.
They just
told
us that they don't release advisories and then refused to tell
us what
they
did with the research.
When we asked them about their services and testing
methodologies, we
were
first told that they couldn't discuss that. We were told that
their
methodologies were confidential. But after a bit of Social
Engineering
and
sweet talking we were able to get more information...
As it turns out, the majority of the Cybertrust services rely
on what
they
say are proprietary automated scanners which were developed in-
house.
Their
methodology is to run the automated scanners against a specific
target or
set of targets, and then to pass the results to a seasoned
professional.
That professional then verifies the results via manual testing
and
produces
a report that contains the vetted results.
This methodology doesn't really offer any depth and doesn't do
much to
raise
the proverbial security bar. In fact, it is only slightly
better than
running a Qualys scan, changing the wording of the report, and
delivering
that. Quality methodologies should contain no more than 20%
automated
testing and no less than 80% manual testing. Vulnerability
discovery
should
be done via manual testing, not just via automated testing.
In defense of Cybertrust, they did say that they would test in
accordance
with the customers requirements. They also did say that if the
customer
wanted 100% manual testing that they would do it. If they want
100%
automated "rubber stamp of approval" testing they would do that
too.
Saying
it is a lot different than doing it though and we weren't
impressed with
their standard/default testing methodology as previously
mentioned.
It is important to note that Cybertrust is also a full service
security
provider. They offer a wide range of services from supporting
secure
product
development services, to security testing, and even forensic
services.
With
that said, their services do not seem to be anything special.
In fact,
they
seem to be just about average short of their horrible website
and
overwhelming marketing fluff.
It is our recommendation that you choose a different provider
if you are
looking for well defined, high quality services. Cybertrust is
cloaked in
a
thick layer of marketing fluff and frankly doesn't seem to be
very easy
to
work with. That being said, they were also not easy to review.
If you
disagree with this post or have worked with Cybertrust in the
past, then
please leave us a comment. We're going to give Cybertrust a "C"
but if
you
can convince us that they deserve a different grade then we'll
revise our
opinion.
Thanks for reading.
--
Posted By secreview to Professional IT Security Providers -
Exposed at
12/19/2007 07:32:00 PM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Regards,
The Secreview Team
http://secreview.blogspot.com
Professional IT Security Service Providers - Exposed
--
Save big on a huge selection of discount auto parts. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4eju22eWmoaCiKwN45shQSnKTlUNjpqaB5BdhTWjvQUzgFfS/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + ) SecReview (Dec 20)
|
Intro
