Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

In response to: Fradulent Security Experts

2 Comments Posted by on December 18, 2008

This post is in response to “Fradulent Security Experts” as posted on the SNOsoft Research Team Blog

As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.

If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.

Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101” arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.

The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.

Penetration Test, Security, Technology , , ,

2 responses to “In response to: Fradulent Security Experts

  1. CG December 18, 2008 at 17:12

    ah the real problem is there is no good place to ask questions and not get flamed. it used to be that if you asked a question about SQLI (but really anything) and you weren’t qualifying that with some sort of “work” you got the “I’m not going to help you hack a site!” answer. now people “who are working on an assessment” cant ask a question “because now they should know better” to be working!

    not disagreeing at all about your points. Its ok to be junior and to ask questions but if you sell services you should have someone that knows what is going on as a lead (and in charge) and to mentor the junior people to not to make stupid posts to mailing lists 🙂

  2. Chris Riley December 18, 2008 at 19:54

    All good points, and I agree that flaming is a big issue. I remember well posting questions on the Nessus mailing-list and getting flamed for stupid questions (although I tihnk that’s another problem, as it was a recent thing). I think the 2 points here are seperate however. Flaming n00bs is a bad thing, but somebody selling a service asking such a junior question brings us to the second problem.

    We all ask stupid questions, that’s how we learn…. After all, my blog is 90% stupid questions and I’m learning 😉

%d bloggers like this: