Re: Pentest Letter of Achievement/Certificate

From: blowfish 448 (blowfish448@hotmail.com)
Date: Thu Jul 14 2005 - 02:16:40 EDT


John,

thanks, I agree it takes only 5 minutes with a word processor but my
original question
actually was to know if there is some general standard/best practice with
such one or two
pager statement - e.g. a good statement should contain at least:

- issue date
- high level description on the environment tested (no details to maintain
confidentiality)
- procedures, methodology applied while testing
- extent of tests (penetration test, procedure and policy review, change
management, incident management etc...)
- limitations: no waranty, snapshot of situation at certain point in time
etc...

and should not contain:

- IP addressing/application details/environment specifics
- results of the testing
- ...

Thanks

>From: John Kinsella <jlk@thrashyour.com>
>Reply-To: John Kinsella <jlk@thrashyour.com>
>To: blowfish 448 <blowfish448@hotmail.com>
>CC: pen-test@securityfocus.com
>Subject: Re: Pentest Letter of Achievement/Certificate
>Date: Wed, 13 Jul 2005 14:46:15 -0700
>
>
>First off, I guess I read between the lines of blowfish's orig. post -
>was trying to provide a seal of approval so to speak, saying that a
>given pen test was conducted in a thorough manner by a respectable
>source.
>
>Did a quick review of the 2.1 docs, what I was thinking of isn't quite
>a letter as you were looking for (that's done in 5 mins with a word
>processor) but there's a seal and verbage on page 11 that "certifies"
>to a degree what's been done.
>
>What it comes down to, though, is if one follows the manual for the
>pentest, and issues a thorough report following the templates - you
>should end up with a fairly thick and useful document. At that point,
>putting a signed page with a seal on it at the front should satisfy most
>people.
>
>btw, isecom guys - http://www.isecom.org/stamps.htm is dead, altho
>linked to in a public document. tsk, tsk. :)
>
>John
>
>On Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:
> >
> > Hi John,
> >
> > I checked and in the current available OSSTMM 2.1 version there is a
> > certain 'data sheet'
> > mentioned in the accreditation section. It says however in the document
> > that such data
> > sheet is only available in vs. 2.5 Which I could not trace back. After
>2.1
> > the next one set
> > for release is 3.0. Do you know of such 2.5 version maybe?
> >
> >
> > Thanks
> >
> >
> > >From: John Kinsella <jlk@thrashyour.com>
> > >Reply-To: John Kinsella <jlk@thrashyour.com>
> > >To: blowfish 448 <blowfish448@hotmail.com>
> > >CC: pen-test@securityfocus.com
> > >Subject: Re: Pentest Letter of Achievement/Certificate
> > >Date: Tue, 12 Jul 2005 19:29:43 -0700
> > >
> > >I think http://www.isecom.org/osstmm/ might cover what you're looking
> > >for...
> > >
> > >John
> > >
> > >On Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
> > >> Hi,
> > >>
> > >> any of you know if any 'standards' or accepted guidelines exist for a
> > >> letter or certification
> > >> of succesfull resistance to Penetration Testing/Vulnerability
> > >Assessment.
> > >> Customers often
> > >> demand to have a proof delivered by their Penetration Test service
> > >provider
> > >> to show to their
> > >> partners and customers.
> > >>
> > >> The idea of course is not to disclose sensitive information but to
> > >briefly
> > >> describe
> > >> the environment tested and how - according to which methodologies and
> > >the
> > >> attack vectors
> > >> tested for.
> > >>
> > >>
> > >> Thanks in advance
> > >>
> > >>
> >
> >



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT