Here are my experiences although this thread will be put to death soon... When asked by sales/billing dept. They ask me: "how long will this take?" here's an for you all. Ask for the audit to be done in two phases. Automated scanning (eg vuln-assessment) nmap, nessus, other automated tools whisker ect. and then the pen-test. The reason for this is once you do the automated scan you know exactly how many boxes are up, what services are running and what might exist on the webservers. This will help you greatly in gauging the time it will take to do the pen-test. Now you all the information you'd need to start the pen-test. In the past I made a grave error... (when i first started ;P). I did the automated scans then penetrated with JUST the results I had from the automated scans. As I reflect, I realize that was not an audit but just a pen-test. Yeah great give them the report with how you broke in. But I missed a lot of information! What about the application layer? What about custom cgi's? Audits are ment for one reason. To be through and try to find every single hole you can. Would a finicial auditor ever leave out any detail on how a company was doing? Hell no, and if they did you might want to find a new auditor ;). Obviously audits aren't the "cure all" but they should be pretty damn up-to-date and pretty damn complete to give the company the best idea possible of where the risks are and where they are tight. -blue ================================================================= Kies een origineel e-mailadres op www.emails.nl ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 16:32:08 PDT