Then maybe someone should define what the components are for a standard penetration test, a vulnerability assessment, and a security audit. This document then should be published as a security community approved standard as either an RFC under the IETF or through some other recognized organization. My .02 Ron Ogle Thomson multimedia Rennes, France > -----Original Message----- > From: R. DuFresne [mailto:dufresneat_private] > Sent: Wednesday, September 05, 2001 9:12 PM > To: Todd Ransom > Cc: pen-testat_private > Subject: Re: Security Audit > > > > Anyone claiming that their pen test, vuln assessment, or > security audit > consists merely of running nessus and or nmap and producing a > reporrt and > final results is a charleton, and does the security industry a > dis-service. Yet, I have seen, in practice, both outside consultants, > hired guns from the outside and supposedly 'trained' > professionls <CISSP!> > within the corporate sector do merely this and stamp > "certified secure" > across organizations. A "test, assessment, or audit" are > more akin to > remodeling, then ne home building and remodeling, having done > lots of it > over time, I can safely state, is -=dirty work=-. When you rip open a > wall, one is sometimes amazed, as well as disenheartened at > what they find > behind the sheetrock and plaster. > > Thanks, > > Ron DuFresne ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 16:06:42 PDT