Tuesday, October 05, 2010
Bad Security Service adds up sum to Losses after a threat succeeds
One funny thing i have learned is that several Security Vendors dont really test security effectively even when contracted to do so. Others may say its more of jurisdiction purposes or the scope, but i think if you are paid to minimize risks for a corporation you should do it at the best value possible.
This comes to the topic pentest. A lot of the vendors don't understand what pentest is and thus, that affects their clients, so leaving them at a greater risk due to the fact they leave, telling them they are secure and so letting them, let gaurd down.
One of the Pentest report i got hold of was explaining how there were open ports which they dint or were not able to exploit but had holes as seen from a scanner. To keep it short, should a pentest report have False positives. No, its should have info on entries that were used to get into the target.
They problem is that the above may require a team which is qualified, talented, intelligent and advanced in the field. Lemmie know your thoughts