Penetration Testing mailing list archives
Re: WebServices Testing
From: "mailing lists" <bofn () irq org>
Date: Sun, 08 Oct 2006 12:52:24 +0200
*This message was transferred with a trial version of CommuniGate(tm) Pro* On Fri, 6 Oct 2006 10:27:58 -0400 "Paul Melson" <pmelson () gmail com> wrote:
-----Original Message----- Subject: Re: WebServices TestingSo... they pay you to do something you know hardly anything about?I doubt the letter of intent puts it *that* way. :-)
;-)
but then again, as mentioned before, most companies do not want to hearhow bad it really is, andrather pay a little extra to get a 'filtered' report that they can proudlyshow at their board meetings,and then pray to Loki that no one will find out about the actual state oftheir infrastructure. You're half right. I'm sure his client wants a report that says that their network, their applications, their financials, and their manhoods are all secure. But I doubt they're hoping nobody finds out the ugly truth about their infrastructure because I would wager a guess that they have no idea, either.
*humble salute* correction/adition , If/when they find out, they will often not want to know in my experience, and often make it not appear in their final version of the report. i've been asked many times to take things out of reports, and just told them "you also get a digital copy...." {hint}
to sum this up, i think that the cowboys are responsible for the very lowstandard of infosec awarenesson this planet, and they profit from keeping it so.I disagree. Customers that demand cheap, "teach-to-the-test" audits are what make so-called cowboy project work possible.
do you think one should punish junkies rather then dealers ? or... lock out the dealers and try to ensure no dope is required, by guiding the potential junkies away from it. ;-P
In this case, I think it's unfair to impeach Dallas' skills or ethics. Everybody has to learn some time, and let's not pretend that we've all been auditing web services since day one.
nope.. 1st learned how to program from scratch such a service, on a few platforms.
I'll be the first to say it's not something I've ever done. At least he knows what he doesn't know and is asking for help now. Believe me when I tell you there are plenty of consultants that would've just pointed Nessus at it and given them a clean report or told them that they need to block ICMP timestamp requests.
:-))
I do, however, think it's crappy that his employer has put Dallas and their client in a position to succeed poorly or fail well. If the client does their homework and brings all of their resources to the table to assist in the audit and remediation process, poor Dallas will be found out as having no experience in this arena. If they don't the audit may go off without incident, but the value and depth may be lacking also.
i think that the lad wants to run before he can walk and should tag along with an experienced person before walking it alone.
But at least the important objective - the account manager making 7% commission on a five-figure audit engagement - will be achieved. Not that I'm jaded or anything.
*grin*
and again, the joe and betty in the street are the victim, because theirprivacy sensitive info andoften their savings are compromised at some point, as we keep reading inthe media. The botherders were going to do it anyway. At least now there will be a class action lawsuit that they can get in on. :-)
:)
PaulM
*Anna -- "The power of accurate observation is frequently called cynicism by those who don't have it." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- WebServices Testing dallas jordan (Oct 05)
- Re: WebServices Testing mailing lists (Oct 05)
- RE: WebServices Testing Paul Melson (Oct 06)
- Re: WebServices Testing Jamie Riden (Oct 06)
- Re: WebServices Testing Joseph McCray (Oct 06)
- <Possible follow-ups>
- Re: WebServices Testing revnic (Oct 06)
- Re: WebServices Testing mailing lists (Oct 08)
- Re: WebServices Testing mailing lists (Oct 08)
- RE: WebServices Testing Paul Melson (Oct 09)
- Re: WebServices Testing mailing lists (Oct 05)