Comments on: Hit and run pentesters — the cycle repeats http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/ top secret/secure computing information Fri, 21 Nov 2008 16:42:27 +0000 http://wordpress.org/?v=2.2.3 By: dre http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1613 dre Tue, 04 Sep 2007 21:00:28 +0000 http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1613 There is no reason that an IT/Operations team can't boot the SOX CD from the Syngress book on Sarbanes-Oxley and be up and running with change control for issues that come out of system/network pen-tests within 30 days, including full patch and vulnerability management. If you can't - you need to hire somebody to do this, especially if SAS70 or SOX are on the radar. Even if they are off the radar, do yourself a favor and just do it. Additionally, there is no reason that a development team can't boot the Buildix CD from ThoughtWorks and get running with issue/defect tracking within 30 days, including continuous integration and continuous-prevention development. And to the same effects as network/system security, if not more. As a code reviewer or pen-tester, I wouldn't leave an engagement without these basics covered. In fact, it's difficult to start one without. I would rather walk into an environment and perform a solo, one-day strategy consulting engagement than to start a 2-week, 2-person assessment and run into several barriers (and at over 7.5 times the cost). There is no reason that an IT/Operations team can’t boot the SOX CD from the Syngress book on Sarbanes-Oxley and be up and running with change control for issues that come out of system/network pen-tests within 30 days, including full patch and vulnerability management. If you can’t - you need to hire somebody to do this, especially if SAS70 or SOX are on the radar. Even if they are off the radar, do yourself a favor and just do it.

Additionally, there is no reason that a development team can’t boot the Buildix CD from ThoughtWorks and get running with issue/defect tracking within 30 days, including continuous integration and continuous-prevention development. And to the same effects as network/system security, if not more.

As a code reviewer or pen-tester, I wouldn’t leave an engagement without these basics covered. In fact, it’s difficult to start one without. I would rather walk into an environment and perform a solo, one-day strategy consulting engagement than to start a 2-week, 2-person assessment and run into several barriers (and at over 7.5 times the cost).

]]> By: LonerVamp http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1611 LonerVamp Tue, 04 Sep 2007 18:10:08 +0000 http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1611 BTW, on IE6 this comment box is way below the right menu list. BTW, on IE6 this comment box is way below the right menu list.

]]> By: LonerVamp http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1610 LonerVamp Tue, 04 Sep 2007 18:09:37 +0000 http://www.tssci-security.com/archives/2007/09/04/hit-and-run-pentesters-the-cycle-repeats/#comment-1610 Sometimes companies only pay for the report, but don't want to go further. Some reviewers don't feel comfortable saying, "Ok, we found all this wrong, now hire us to fix it," without sounding a little fishy or self-serving. Keep going down that road, and we're looking at outsourcing security/IT operations to dedicated shops. (Not a bad idea, imo.) I've not read the original post, but I can totally understand why some reports rehash the same old stuff. Until these come in, developers and admins aren't sitting around bored, and changes sometimes mean some money spent or significant time that needs to be written off somewhere and at sometime. Likewise, developers worth their pay will be willing to learn more and improve their code (unless they work in extremely oppressive shops, which happens a LOT), but sometimes that sort of training can't get properly done without some facetime with trainers or testers. Yes, I'm playing a bit of devil's advocate. :) Sometimes companies only pay for the report, but don’t want to go further. Some reviewers don’t feel comfortable saying, “Ok, we found all this wrong, now hire us to fix it,” without sounding a little fishy or self-serving. Keep going down that road, and we’re looking at outsourcing security/IT operations to dedicated shops. (Not a bad idea, imo.)

I’ve not read the original post, but I can totally understand why some reports rehash the same old stuff. Until these come in, developers and admins aren’t sitting around bored, and changes sometimes mean some money spent or significant time that needs to be written off somewhere and at sometime.

Likewise, developers worth their pay will be willing to learn more and improve their code (unless they work in extremely oppressive shops, which happens a LOT), but sometimes that sort of training can’t get properly done without some facetime with trainers or testers.

Yes, I’m playing a bit of devil’s advocate. :)

]]>