Home page logo
/

pen-test logo Penetration Testing mailing list archives

AW: Pentesting tool - Commercial
From: <puppe () hisolutions com>
Date: Wed, 5 Mar 2008 09:34:11 +0100

Salve,


-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im
Auftrag von Andre Gironda
Gesendet: Dienstag, 4. März 2008 22:05
An: pen-test
Cc: Trygve Aasheim
Betreff: Re: Pentesting tool - Commercial

On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve () pogostick net>
wrote:
This might be a bit hard for you to understand, I see that, but just

<snip>


The deliverable shouldn't be awareness - it should be workable
solutions.  Most of the time - these aren't technical at all.
Strategy consulting is a good start to any project of this nature, and
while the cost might be the same as a two-week assessment, it only
takes up 1-2 days of a client's time, which really equates to much
better savings for the client because a two-week assessment is a large
investment for them.

I would hit a few key areas:
1) Software acquisition.  How does the client acquire new software?
Does it come with hardware out-of-the-box (e.g. installed on a
router)?
2) Software update.  How does the client upgrade/update their software?
3) Software configuration.  How does the client configure their
software?  How do they handle changes?
4) Software development.  Does the client write their own software?
What processes do they use?

I'm fairly impressed with the BITS Shared Assessments Program
Standardized Information Gathering questionnaire as a starting point,
which is also available in a SIG-Lite version.  Note that you don't
have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
or PCI-DSS.


I totally agree with you on this. A penetration test is good as a last touch to it-security, but in a not very security 
aware company, the real problems show up in a one hour interview more easily. Many customers buy the pentest, because 
they are afraid to talk about their organizational difficulties like patch-, user-, password-, service-management. 
That's where the exploits the hacker will find hail from and that's where they need to be fixed. Like when you pentest 
a company, deliver the report and while being treated to a tour of the premises, see that the server room has normal 
windows at level with the ground ...

We usually do an assessment based on http://www.bsi.de/english/gshb/index.htm , they have the only standard that covers 
physical, logical, organization security and it is very thorough, down to earth and with loads of detailed security 
measures to compare against.

--
Mit freundlichen Grüßen
 
Christoph Puppe
Security Consultant
 

We secure your business.(TM)
_______________________________________________________
 
HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________
 
Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB:
 
Sitz der Gesellschaft / registered office:
Berlin
 
Handelsregistereintrag / Commercial register:  
Amtsgericht Berlin Charlottenburg - HRB 80155
 
Vorstand / Management Board:  
Torsten Heinrich, Timo Kob, Michael Langhoff
 
Vorsitzender des Aufsichtsrates / Chairman of the supervisory board:
Prof. Dr. Klaus Müller


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]