In response to: Fradulent Security Experts
December 18, 2008
Posted by on
This post is in response to “Fradulent Security Experts” as posted on the SNOsoft Research Team Blog
As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.
If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.
Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101” arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.
The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.