Home page logo

pen-test logo Penetration Testing mailing list archives

FW: My Frustrations
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 18 Dec 2008 15:36:36 -0800

H.D. if you don't want clients checking up on postings then use a
pseudonym, preferably one that you hold a little close. I don't make
big deal about hiding behind this one. I jsut use it to show that my
postings are personal and not on behalf of my employer. Another
alternative to the issue is to have closed lists where the
participants are vetted. I'm on a few of those and they vary in
quality as well... go figure.

Putting on my non-moderator hat for a change...
Sometimes we forget that there are some 15k+ subscribed list members
with a wide range of backgrounds and expertise. From well-known experts
and practicing professional such as HD, Dave, Adriel, etc, to 13yr old
script kiddies or novices just interested in pen-testing in general.
I'm not ashamed to admit that my code analysis skills are weak and to
ask questions around that aspect or rely on advice from people like HD
and others who have a better grasp on those things. My expertise is
slanted towards other realms. That said, there are many posts I've let
through where it's apparent someone is in above their heads in an area
where they are representing themselves as a expert. As a moderator, my
job is to keep discussions flowing and relevant to pen-testing. As a
security professional, I shudder with horror at the things some people
As Adriel said, the real problem is when a supposed expert is looking
for help on something that is so basic that you wonder how they got the
contract at all. It devalues the work of the real experts and fosters a
false sense of security. The responses to such questions (qualification
issue aside) are useful for list members whose expertise or background
isn't in that particular area and spreads Clue to those readers. Lack
of knowledge isn't a bad thing, we're all here to learn _something_.
Misrepresenting your expertise I believe is a very Bad Thing... but it
happens and they land clients who are ill-served and might not realize

The only feasible solution I see is to educate clients so they can
tell the wheat from the chaff. How to do so across the industry is a
vexing question. I don't think regulatory bodies would work.  I don't
think certifications work. They can be good indicators of actual
expertise but, as many others have pointed out, are not in and of
themselves guarantees of qualification for hands-on "doing the work".
So far there is no replacement for word of mouth.

Erin Carroll
CTO & Vice President | iVOLUTION Security Technologies

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]