Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations Step Two
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 19 Dec 2008 07:04:35 -0500

On Thu, Dec 18, 2008 at 7:27 AM, Adriel T. Desautels
<ad_lists () netragard com> wrote:

So it appears to me that the solution to this problem is to provide the
customer with ammunition so that they can quickly shoot down the fraudulent
security experts and properly identify the real ones. There are different
services, different classifications of service, different threat levels,
etc. If our customers knew how to identify what they needed, they could use
that to choose a good provider with much more success. But thats the real
problem isn't it? Our customers aren't security experts and as a result they
don't know what they need...

I think that you're on the right track here, insofaras customer
awareness is the key to differentiating expert pen-testers from people
who charge money for Nessus scans.  (To that point, using a scanner
isn't a differentiator between a poseur and a real pen-tester, but
*only* using a scanner is probably the big one.)  But this is far from
a silver bullet.  As I pointed out the last time we discussed this
topic, there are customers out there that want - or are required to
have - a report from a third party that shows hat they're secure.  And
they're not willing to pay much, so they're not going to get much.

For a Netragard, or an InGuardians, or an IOActive, or an Immunity, it
is simply not worth their time to work with clients who want to do
security on the cheap.  They staff experts, and they pay for it.  As a
result, so must their clients, and it's clear that they don't have
problems getting clients who are willing to pay for access to their
experts.  But if somebody's willing to spend money, somebody's also
likely willing to take it, and that's not going to change no matter
how much you educate the customer.  Unqualified people will continue
to do IT security work for the duration.  And for those that propose
licensing as a solution, ask an attorney how effective that's been in
their field.


So, what questions can we arm our customers with so that they can weed out
the Frauds?

I think that this is less about general education and more about brand
awareness.  It is a business, after all.  In our industry, you build
brand awareness by publishing new research and by sending your experts
to present at conferences where they can be seen.  Oh, and you put
your logo on all of it. :-)

The end result will be customers who want, and can easily find,
upper-echelon talent and service on one end, and customers who care
only about cost on the other, with a pretty big middle defined by
various organizational constraints.  Frankly, I'm not sure we aren't
already there.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]