Penetration Testing: Re: My Frustrations

["Adriel T. Desautels" <ad_lists () netragard com>]

Roman,
	Yes you did miss the point, but thats alright many of your points are  
good.  My goal isn't to do anything other than to address the problem  
in the best way possible.  Some customers will always choose the  
"cheap" route and as such will get equal results.  Some customers  
don't know that they are choosing the "cheap" route and are open to  
being educated.
On Dec 22, 2008, at 1:28 PM, Roman Medina-Heigl Hernandez wrote:

> Honestly, fake "professionals" exist in all computer (and non- 
> computer)
> related fields... unfortunately you are not going to avoid them by  
> writing
> a paper:
> - A customer being faked ("the innocent") will not probably be  
> reading this
> kind of security lists and won't be able to reach your paper
> - Obviusly a fake "expert" is not going to show his/her customer  
> your paper
> neither (since it would turn against him/her)
> - Even for the real professional, I'm not sure whether it would be a  
> good
> idea (commercially speaking) to give a paper signed by a third party
> (potentially a competitor indeed) to an undecided customer... Your  
> sales
> people won't be very happy with you... Just in case you are thinking  
> about
> simply disclosing your arguments (or similar ones) to the customer,  
> are you
> sure a real expert won't be able to assess the customer in this matter
> without reading your to-be-released paper?
>
> No offense intended (perhaps I missed your point, feel free to  
> correct me
> if I'm wrong) but I think you are wasting a precious time (that it  
> could be
> of good use to trace EIP in Ollydbg's wild world...).
>
> Cheers,
> -Roman
>
>
> Adriel T. Desautels escribió:
> > Guys,
> >    I just wanted to say thank you very much for all of the good  
> > input.
> > My team and I are working to digest this and we're in the process of
> > building a strictly educational paper for distribution. This paper  
> > will
> > arm potential customers in such a way that they:
> >
> > 1-) Understand the importance of good security
> > 2-) Understand the reality of compliance
> > 3-) Know how to identify real vendors and avoid the fakes
> > 4-) Know what to expect for reports and deliverables
> > 5-) Know what questions to ask vendors, sort of an advanced
> > qualification process.
> > etc.
> >
> >    Once the paper is done (it will be a while) I'll send a link to  
> > the
> > list.  If you could also post your responses to the blog that would  
> > be
> > very much appreciated. Thanks again!!!
> >
> >
> >
> > On Dec 18, 2008, at 7:58 PM, tony_l_turner () yahoo com wrote:
> >
> > > The difference being when they screw up they might lose their  
> > > license
> > > and can't practice anymore. When we screw up we just have to find
> > > clients who haven't heard of us. Not sure if that argument is
> > > sufficient to justify licensing but figured I'd at least clarify the
> > > distinction.
> > >
> > > Sent from my Verizon Wireless BlackBerry
> > >
> > > -----Original Message-----
> > > From: "Shenk, Jerry A" <jshenk () decommunications com>
> > >
> > > Date: Thu, 18 Dec 2008 19:31:43
> > > To: pen-test list<pen-test () securityfocus com>
> > > Subject: RE: My Frustrations
> > >
> > >
> > > Is being licensed really all that different from certified?  I don't
> > > know too many teachers but I know a couple really lousy ones and  
> > > every
> > > couple days, I hear some horrible story about a teacher who had  
> > > sex with
> > > a student or....  There are bad examples in the medical profession  
> > > too
> > > and they're all licensed.  And drivers...they all have licenses.  My
> > > town requires plumbers and electricians to be licensed and they also
> > > require that one of those guys who is playing the system review my  
> > > work
> > > if I want to do something myself.  I'll bet we can all come up with
> > > electrical and plumbing stories.
> > >
> > > No, I don't think licensure is the answer.  I think personal
> > > responsibility both from the practitioner and the one needing the
> > > service (or the checkbox;) is what's really needed.
> > >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> > > ]
> > > On Behalf Of Sat Jagat Singh
> > > Sent: Thursday, December 18, 2008 6:54 PM
> > > To: pen-test list
> > > Subject: Re: My Frustrations
> > >
> > > Having read your blog post, I would say that I share some of these
> > > frustrations.  But many organizations are really only trying to  
> > > cover
> > > their asses and put a check in the box to say that, yes we got an
> > > assessment done to satisfy the letter of the regulations.  These are
> > > companies that are more concerned about the cost of the project  
> > > than the
> > > actual security.  While such people tend to get what they deserve,  
> > > it
> > > does create a negative reputation for the profession as a whole.
> > >
> > > Yes, I do think it is a "profession", but we have not  
> > > "professionalized"
> > > ourselves by requiring licensing.  The industry reliance on
> > > certification rather than licensing as a credential somewhat  
> > > serves to
> > > muddy the waters because the decision makers hiring security  
> > > consultants
> > > don't really know what a given certification covers.  We could  
> > > debate
> > > the value of different certifications until the cows come home but I
> > > don't want to insult anyone and we can probably agree that too  
> > > many of
> > > them do not guarantee that the holder has real qualifications and  
> > > the
> > > security unsavy will never really know how to evaluate that.  More  
> > > and
> > > more I lean toward some form of professional licensure.  One of the
> > > states will have to move in this direction before a serious debate  
> > > about
> > > it will be opened.  Until then, caveat emptor.
> > >
> > >
> > > --- On Wed, 12/17/08, Adriel T. Desautels <ad_lists () netragard com>
> > > wrote:
> > >
> > > > From: Adriel T. Desautels <ad_lists () netragard com>
> > > > Subject: My Frustrations
> > > > To: "pen-test list" <pen-test () securityfocus com>
> > > > Date: Wednesday, December 17, 2008, 11:19 AM
> > > > I recently wrote this blog entry and wanted to get some
> > > > comments from readers of this list. I'm frustrated with
> > > > the caliber of the people that are offering security
> > > > services and posing as experts, thats the subject of the
> > > > post. Please comment, insult, whatever... I'm
> > > > interested.
> > > >
> > > > http://snosoft.blogspot.com/
> > > >
> > > >
> > > > Adriel T. Desautels
> > > > ad_lists () netragard com
> > > ------------------------------------------------------------------------
> > > > This list is sponsored by: Cenzic
> > > >
> > > > Security Trends Report from Cenzic
> > > > Stay Ahead of the Hacker Curve!
> > > > Get the latest Q2 2008 Trends Report now
> > > >
> > > > www.cenzic.com/landing/trends-report
> > > ------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > ------------------------------------------------------------------------
> > >
> > >
> > > **DISCLAIMER
> > > This e-mail message and any files transmitted with it are intended  
> > > for
> > > the use of the individual or entity to which they are addressed and
> > > may contain information that is privileged, proprietary and
> > > confidential. If you are not the intended recipient, you may not  
> > > use,
> > > copy or disclose to anyone the message or any information  
> > > contained in
> > > the message. If you have received this communication in error,  
> > > please
> > > notify the sender and delete this e-mail message. The contents do  
> > > not
> > > represent the opinion of D&E except to the extent that it relates to
> > > their official business.
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > ------------------------------------------------------------------------
> > Adriel T. Desautels
> > ad_lists () netragard com
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------