WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Notes from CISSP class with Dr. Eric Cole

From: Saqib Ali <docbook.xml () gmail com>
Date: Wed, 12 Oct 2005 08:34:40 -0700
The second case involved a pentest where a CISSP had conducted a project
for a web portal.  The CISSP told the customer the portal was secure,
but the customer had concerns about the quality of the work perform.
Again I was called in to check the other CISSP's work and I was able to
gain root access in 6 hours.  That customer now checks the background
and even tests CISSP before they are allowed to do any work.


It is not the job of a CISSP to tell if a application is secure (hack
proof) or not. It is like asking a District Attorney to perform Police
Detective work. It doesn't work like that. You need a different
skillset to perform detective work.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: