|
Penetration Testing
mailing list archives
AW: Pentesting tool - Commercial
From: <puppe () hisolutions com>
Date: Wed, 5 Mar 2008 09:34:11 +0100
Salve,
-----Ursprüngliche Nachricht-----
Von: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Im
Auftrag von Andre Gironda
Gesendet: Dienstag, 4. März 2008 22:05
An: pen-test
Cc: Trygve Aasheim
Betreff: Re: Pentesting tool - Commercial
On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve () pogostick net>
wrote:
This might be a bit hard for you to understand, I see that, but just
<snip>
The deliverable shouldn't be awareness - it should be workable
solutions. Most of the time - these aren't technical at all.
Strategy consulting is a good start to any project of this nature, and
while the cost might be the same as a two-week assessment, it only
takes up 1-2 days of a client's time, which really equates to much
better savings for the client because a two-week assessment is a large
investment for them.
I would hit a few key areas:
1) Software acquisition. How does the client acquire new software?
Does it come with hardware out-of-the-box (e.g. installed on a
router)?
2) Software update. How does the client upgrade/update their software?
3) Software configuration. How does the client configure their
software? How do they handle changes?
4) Software development. Does the client write their own software?
What processes do they use?
I'm fairly impressed with the BITS Shared Assessments Program
Standardized Information Gathering questionnaire as a starting point,
which is also available in a SIG-Lite version. Note that you don't
have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
or PCI-DSS.
I totally agree with you on this. A penetration test is good as a last touch to it-security, but in a not very security
aware company, the real problems show up in a one hour interview more easily. Many customers buy the pentest, because
they are afraid to talk about their organizational difficulties like patch-, user-, password-, service-management.
That's where the exploits the hacker will find hail from and that's where they need to be fixed. Like when you pentest
a company, deliver the report and while being treated to a tour of the premises, see that the server room has normal
windows at level with the ground ...
We usually do an assessment based on http://www.bsi.de/english/gshb/index.htm , they have the only standard that covers
physical, logical, organization security and it is very thorough, down to earth and with loads of detailed security
measures to compare against.
--
Mit freundlichen Grüßen
Christoph Puppe
Security Consultant
We secure your business.(TM)
_______________________________________________________
HiSolutions AG Phone: +49 30 533289-0
Bouchéstrasse 12 Fax: +49 30 533289-99
D-12435 Berlin Internet: http://www.hisolutions.com
_______________________________________________________
Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB:
Sitz der Gesellschaft / registered office:
Berlin
Handelsregistereintrag / Commercial register:
Amtsgericht Berlin Charlottenburg - HRB 80155
Vorstand / Management Board:
Torsten Heinrich, Timo Kob, Michael Langhoff
Vorsitzender des Aufsichtsrates / Chairman of the supervisory board:
Prof. Dr. Klaus Müller
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: Pentesting tool - Commercial, (continued)
Re: Pentesting tool - Commercial Pete Herzog (Mar 04)
|
Intro
