AW: Pentesting tool - Commercial

From: puppe@hisolutions.com
Date: Wed Mar 05 2008 - 03:34:11 EST


Salve,

> -----Ursprüngliche Nachricht-----
> Von: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] Im
> Auftrag von Andre Gironda
> Gesendet: Dienstag, 4. März 2008 22:05
> An: pen-test
> Cc: Trygve Aasheim
> Betreff: Re: Pentesting tool - Commercial
>
> On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve@pogostick.net>
> wrote:
> > This might be a bit hard for you to understand, I see that, but just

<snip>

>
> The deliverable shouldn't be awareness - it should be workable
> solutions. Most of the time - these aren't technical at all.
> Strategy consulting is a good start to any project of this nature, and
> while the cost might be the same as a two-week assessment, it only
> takes up 1-2 days of a client's time, which really equates to much
> better savings for the client because a two-week assessment is a large
> investment for them.
>
> I would hit a few key areas:
> 1) Software acquisition. How does the client acquire new software?
> Does it come with hardware out-of-the-box (e.g. installed on a
> router)?
> 2) Software update. How does the client upgrade/update their software?
> 3) Software configuration. How does the client configure their
> software? How do they handle changes?
> 4) Software development. Does the client write their own software?
> What processes do they use?
>
> I'm fairly impressed with the BITS Shared Assessments Program
> Standardized Information Gathering questionnaire as a starting point,
> which is also available in a SIG-Lite version. Note that you don't
> have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002,
> or PCI-DSS.

I totally agree with you on this. A penetration test is good as a last touch to it-security, but in a not very security aware company, the real problems show up in a one hour interview more easily. Many customers buy the pentest, because they are afraid to talk about their organizational difficulties like patch-, user-, password-, service-management. That's where the exploits the hacker will find hail from and that's where they need to be fixed. Like when you pentest a company, deliver the report and while being treated to a tour of the premises, see that the server room has normal windows at level with the ground ...

We usually do an assessment based on http://www.bsi.de/english/gshb/index.htm , they have the only standard that covers physical, logical, organization security and it is very thorough, down to earth and with loads of detailed security measures to compare against.

--
Mit freundlichen Grüßen
 
Christoph Puppe
Security Consultant
 
We secure your business.(TM)
_______________________________________________________
 
HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________
 
Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB:
 
Sitz der Gesellschaft / registered office:
Berlin
 
Handelsregistereintrag / Commercial register:  
Amtsgericht Berlin Charlottenburg - HRB 80155
 
Vorstand / Management Board:  
Torsten Heinrich, Timo Kob, Michael Langhoff
 
Vorsitzender des Aufsichtsrates / Chairman of the supervisory board:
Prof. Dr. Klaus Müller
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT