Penetration Testing: Re: Pentest Letter of Achievement/Certificate

["blowfish 448" <blowfish448 () hotmail com>]

Tom, Ralph,

thanks for the input, and I totally agree. Should have been paying more 
attention
to the wording I used. It's not so much providing a certificate of success, 
here I
agree with your arguments, but rather an objective statement of penetration 
testing
has been executed at a certain period in time on infrastructure X at 
customer Y by
company Z. This so they can show to their customer base they take security 
serious
and have undergone testing.

> From my experience in the financial market customers and partners - e.g. 
other banks -
of financial organisations asking for such proof is absolutely not so 
uncommon.
Thanks

> On 7/12/05, blowfish 448 <blowfish448 () hotmail com> wrote:
> > Hi,
> >
> > any of you know if any 'standards' or accepted guidelines exist for a 
> letter
> > or certification
> > of succesfull resistance to Penetration Testing/Vulnerability 
> Assessment.
> > Customers often
> > demand to have a proof delivered by their Penetration Test service 
> provider
> > to show to their
> > partners and customers.
> >
> > The idea of course is not to disclose sensitive information but to 
> briefly
> > describe
> > the environment tested and how - according to which methodologies and 
> the
> > attack vectors
> > tested for.
> >
> >
> > Thanks in advance
> >
> >
> >