Adriel and List,
Here is my .02 regarding a potential customer's perception of our industry's
ambiguos naming conventions. Let's face it, a name is just a name. The spirit
of the project is the heart of the matter.
A “client” should never be confused since that implies to me the project has
been sold or agreed to. However, a “potential customer” will almost always be
confused by the names we choose for various services until you spend the time
to explain the services in terms of their problems and needs.
The responsibility lies on the sales person and sales process. If they are
already a client and the project manager is left to determine scope and
deliverables you are asking for trouble.
The ideal people, process and technology for each engagement should be
determined based on the needs of the potential customer. This includes the use
of automated tools. Things like budget, network size and stimulus for the
project pop into my mind. There are more.
At Foundstone and at Special Ops Security, our sales teams exercise great care
to be sure the potential customers needs are met by the selected engagement and
that their expectations are clearly set regarding the project's process &
procedure, project team and deliverables.
Hope that helps,
Erik
----
erik pace birkholz
president, Special Ops Security, Inc.
888-R-U-OWNED
-----Original Message-----
From: "Adriel T. Desautels" <atd@secnetops.com>
Date: Tue, 14 Dec 2004 11:19:45
To:<pen-test@securityfocus.com>
Subject: Penetration Testing Methodologies
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings List,
I am interested in collecting ideas as to what people feel an ideal
penetration test is. What does the ideal methodology look like and
what are the goals? I am asking you this because I have been running
into interesting issues in certain markets. It would appear that some
people view penetration tests as nothing more then basic network
vulnerability audits while others view a penetration test for what it
is, a test designed to compromise target systems as PoC of
vulnerability.
How do people feel about the use of automated tools and the weights
of their results? What about manual or custom testing? We have our
own methodology that we use for testing our client networks, but I am
always interested in learning what else might be done. I'd be happy
to engage anyone in a conversation about this subject.
Regards,
Adriel T. Desautels
Secure Network Operations, Inc.
-----------------------------------------
Office: 978-263-3829 Cell: 978-697-2946
http://www.secnetops.com
CAUTION: The information contained in this mail message is
confidential and may be legally privileged. No confidentiality or
privilege is waived or lost by any mistransmission. If the reader of
this message is not the intended recipient, you are hereby notified
that any use, dissemination, or reproduction of this message is
prohibited. If you have received this message in error please notify
the sender immediately by email and destroy the original message.
Thank you
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com
iQA/AwUBQb8SQ7R5YB3MHZrzEQIs4QCgh/nnbznNp7MgI8lBTWQfCr+xlTkAn1yk
ZZu2wdM22W3VbqMr2HF2obEx
=DQTm
-----END PGP SIGNATURE-----
____________________[via Blackberry]____________________
Erik Pace Birkholz
Special Ops Security
888-R-U-OWNED x187
