mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: Bennett Todd <bet () RAHUL NET>
Date: Mon, 11 Sep 2000 16:53:03 -0400
2000-09-11-13:34:03 Frasnelli, Dan:
But what really is Industry Best Practices.
I imagine SANS or similar group has a list of recommended practices.
I've completely abandoned SANS; they seem to be a pack of utter,
incurable, incompetant, unprofessional morons. They specifically
endorse and recommend sendmail and BIND, and refuse to listen to
discussions critical of these recommendations. That's enough, as far
as I'm concerned; anything that has the SANS name on it can be
As of this instant, the most vocal and active group I know of
promoting good security practice is securityfocus.com, thanks to the
mailing lists they host. If I had to hunt for other organizations I
respect at this point, it'd get a lot harder; the other good ones
have either gone bad, or gone quiet, as far as I can tell. The next
closest I know of would be Counterpane Systems, but that focuses on
crypto rather than on security in general.
As for the topic behind your mention of Industry Best Practices, I
don't advocate application of that phrase in the field of internet
security; this field is too new, and is evolving too rapidly, for
there to be any accepted Best Practices. Contrast with e.g. finance,
where for e.g. financial accounting reporting requirements there are
Industry Best Practices which evolve pretty rapidly, it takes a
professional to stay on top of them --- but accounting is arguably a
5000+- year old field.
With the field completely revolving, all old truths being replaced
by a completely new set, in just a few years, there's no time to
begin to establish Best Practice.