Then maybe someone should define what the components are for a standard
penetration test, a vulnerability assessment, and a security audit. This
document then should be published as a security community approved standard
as either an RFC under the IETF or through some other recognized
organization.
My .02
Ron Ogle
Thomson multimedia
Rennes, France
> -----Original Message-----
> From: R. DuFresne [mailto:dufresne_at_sysinfo.com]
> Sent: Wednesday, September 05, 2001 9:12 PM
> To: Todd Ransom
> Cc: pen-test_at_securityfocus.com
> Subject: Re: Security Audit
>
>
>
> Anyone claiming that their pen test, vuln assessment, or
> security audit
> consists merely of running nessus and or nmap and producing a
> reporrt and
> final results is a charleton, and does the security industry a
> dis-service. Yet, I have seen, in practice, both outside consultants,
> hired guns from the outside and supposedly 'trained'
> professionls <CISSP!>
> within the corporate sector do merely this and stamp
> "certified secure"
> across organizations. A "test, assessment, or audit" are
> more akin to
> remodeling, then ne home building and remodeling, having done
> lots of it
> over time, I can safely state, is -=dirty work=-. When you rip open a
> wall, one is sometimes amazed, as well as disenheartened at
> what they find
> behind the sheetrock and plaster.
>
> Thanks,
>
> Ron DuFresne
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 06 2001
Intro
