WebApp Sec mailing list archives
RE: Defining scope of web application pentest (now scope of an annual medical exam)
From: "Clement Dupuis" <cdupuis () cccure org>
Date: Wed, 12 Dec 2007 22:42:19 -0500
Good day Andy, I totally agree with you that saving life and saving data is very different. The point was not to map to an exact profession but more to illustrate that whenever you deal with someone who provides a services and offer such service, you expect they have the skills and the ability to render the service. Take care Best regards Clement
-----Original Message----- From: Andy Steingruebl [mailto:steingra () gmail com] Sent: Wednesday, December 12, 2007 10:13 PM To: Clement Dupuis Cc: webappsec () securityfocus com Subject: Re: Defining scope of web application pentest (now scope of an annual medical exam) On Dec 9, 2007 5:36 AM, Clement Dupuis <cdupuis () cccure org> wrote:Hum..... It amazes me that one would offer a service call ETHICALhackingand ask such a question as the one posted. Unfortunately it seems tohappentoo many times and all the times. If we wish to be recognize as professional one day this has to change for sure. Let me twist theoriginalposting a bit and pretend you're doing your annual medical exam andyourdoctor would post the following on a medical mailing list that yousubscribeto: ============== Beginning of twisted message ================= From: listbounce () securityfocus com[mailto:listbounce () securityfocus com] OnBehalf Of a Crazy Doctor Sent: Friday, December 07, 2007 12:48 PM To: webappsec () securityfocus com Subject: Defining scope of an Annual medical exam Hi, Can anyone please tell what needs to be considered while defining thescopeof an annual medical exam. Here I am concerned only about thecholesterollevel and heart beat that would exclude every other bit related totheinfrastructure (such as any other vital parts, diabetes, or theoverallbody). Also how do we calculate the effort required to perform anannualmedical exam. The things which I think may be considered are the ageof thepatient, past history, etc. But what else can be considered? Any inputs would be highly appreciated. Cheers Crazy Doctor ============= End of Twisted message ========================== WOULD YOU ACCEPT AND USE SERVICE FROM SUCH A DOCTOR? Why is this acceptable in the Security Testing profession and why dowe seethis all the time? I think before you offer service to clients you have to build theservicefirst. Hopefully the security testing world will mature quickly over time ifwewish to even attempt to call ourselves PROFESSIONALS. Best regards ClementWhile I do see your point - medical practice isn't necessarily the thing you'd want to pick here. Medical practices differ greatly across even industrialized countries. What tests are considered routine, how often they should be administered, at what age, etc. What variances are acceptable and at what point do we call in other diagnostics that cost more, etc. These are topics that are actively debated in the medical community as well. A better example would be: - Can someone tell me what should be done at a 30,000 mile checkup for a 2006 Ford Focus? Sure, we can pull out Ford's manual and tell you exactly. Not sure you'll find a lot of other areas that are quite as cut and dried. I'm not arguing that we couldn't get better at it, but you might want to pick a better example because medicine isn't nearly as cut and dried as you'd make it appear. - Andy
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Defining scope of web application pentest Vishal Garg (Dec 08)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 14)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Vishal Garg (Dec 14)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest Debasis Mohanty (Dec 15)