Re: [Professional IT Security Reviewers - Exposed] SecReview ( F - )

["Sec Review Sucks" <secreview.exposed () gmail com>]

> 1.) What are your qualifications for reviewing these companies?
>
> We are a team of security professionals that have been performing a
> wide array of penetration tests, vulnerability assessments, web
> application security services etc. One of our team members has
> founded two different security companies both of which have been
> very successful and have offered high quality services. Yes we have
> all sorts of pretty little certifications, but those don't really
> matter.


MY RESPONSE:
If you are also a penetration testing company, how do you maintain
independence?  Who is reviewing you?  What makes you more qualified then any
other vendor to be performing this lunacy?  One of your team members has
founded two different security companies???  Great!  Which ones?  Lots of
people out there have founded security companies, and as your site would
strongly suggest, are not qualified to be performing the work.  No
certifications do not matter, note that I didn't ask what certifications you
hold, I asked what your qualifications are.

> 2.) Your criteria for review is clearly flawed.  Reviewing
> marketing material, websites, etc. is just ridiculous.  Typically
> these are not created by the security team itself, but instead the
> marketing department for a company.  You only just mentioned that
> you started reviewing sample reports, and that not all companies
> are willing to provide these.  How could you possibly review a
> company WITHOUT a sample report at the minimum?
>
> We review companies based on what we are given by the companies and
> based on what we can find on the internet, with Google, etc. Our
> reviews are only as good as what we can find. That is why each
> review is open for debate and why we form an opinion that can be
> changed. To date, we've had no complaints about our reviews and for
> the most part according to readers have been spot on.

MY RESPONSE:
Yes, your reviews are only as good as what you can find... that being the
problem.  You can't seriously propose that you can review a company with any
accuracy without actually experiencing the work they perform or talking to
and surveying their clients.  Consider this a formal complaint... on ALL of
your reviews.  It doesn't matter if they are good or bad, they are all
flawed.  If you guys are so skilled, I'd like to assume you have some
science based degree, maybe CS or CE or EE, something worthwhile.  If so,
you know that any experiment based on flawed data is a flawed experiment.

> 3.) What is your scoring system?  Do you even have one?
>
> We do have a scoring system but are still refining it. We are
> trying to find a way to set more clear boundaries between scores so
> that scores are based more on fact than opinion. Right now, they
> are mostly based on opinion and what we as professionals consider
> quality services.

MY RESPONSE:
Again, back to your opinion.  Opinions are worthless unless they are based
off of facts.  Again, you go back to qualifying your opinion by saying you
are a professional, but we haven't established that you are in fact a
professional or qualified to provide anything then a layman's opinion at
this time.

> 4.) If company A does not submit themselves for review, and
> therefore will not provide you with the information you need to
> review them, do they get a lower score?
>
> No, if a company does not submit themselves for review they do not
> get a lower score. In fact, most companies do not submit themselves
> for review but still provide us for sample reports when we call
> them. Sample reports help out for obvious reasons, but then again
> so do all of the other aspects of our research.
>
>
> We are for all intents and purposes akin to a prospective client
> looking for an assessment. What we see during a review is what a
> prospect would see if they took the time to really dig in and
> analyze security companies. Our opinions are non-biased, all
> companies start with an A.


MY RESPONSE:
Again, if we could see your scoring system, this may make sense... of course
we can't, cause you don't have one.  I don't see how you could possibly
grade a company that gives you no information and has little information on
the web with the same scale as one who provided you all the information.
Thus, a company that gives you nothing and exposes little will always have a
weak review.

> Did that help?
>
> P.s.  Next time you might want to base your opinion off of the blog
> instead of reading just a few emails. Then at least you could offer
> useful critical insight into what we are doing.


MY RESPONSE:
So far, your emails to this list have established quite nicely that you are
not qualified to do this, and even if you were, your method is so flawed it
is not useful.  I see no reason to waste my time exploring your blog.
Additionally, I can hardly be blamed if you post poor examples of what you
are doing, they're your emails and speak only to what you are doing.
Finally, your general attitude in responding to criticism is very childish,
this would also suggest you are not capable of being professional about what
you are doing.  Give up.  You are wasting the lists time.

> Regards,
>      The Secreview Team
>      http://secreview.blogspot.com
>
> --
> Click to become an artist and quit your boring job.
>
> http://tagline.hushmail.com/fc/Ioyw6h4d5AHXKLdCIMLN9gwy8H5Q45x91dHUN3l8DAVzA1Y1Y2f3iu/
>      Professional IT Security Service Providers - Exposed
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/