Good day Andy,
I totally agree with you that saving life and saving data is very different.
The point was not to map to an exact profession but more to illustrate that
whenever you deal with someone who provides a services and offer such
service, you expect they have the skills and the ability to render the
service.
Take care
Best regards
Clement
-----Original Message-----
From: Andy Steingruebl [mailto:steingra@gmail.com]
Sent: Wednesday, December 12, 2007 10:13 PM
To: Clement Dupuis
Cc: webappsec@securityfocus.com
Subject: Re: Defining scope of web application pentest (now scope of an
annual medical exam)
On Dec 9, 2007 5:36 AM, Clement Dupuis <cdupuis@cccure.org> wrote:
Hum..... It amazes me that one would offer a service call ETHICAL
hacking
and ask such a question as the one posted. Unfortunately it seems to
happen
too many times and all the times. If we wish to be recognize as
professional one day this has to change for sure. Let me twist the
original
posting a bit and pretend you're doing your annual medical exam and
your
doctor would post the following on a medical mailing list that you
subscribe
to:
============== Beginning of twisted message =================
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On
Behalf Of a Crazy Doctor
Sent: Friday, December 07, 2007 12:48 PM
To: webappsec@securityfocus.com
Subject: Defining scope of an Annual medical exam
Hi,
Can anyone please tell what needs to be considered while defining the
scope
of an annual medical exam. Here I am concerned only about the
cholesterol
level and heart beat that would exclude every other bit related to
the
infrastructure (such as any other vital parts, diabetes, or the
overall
body). Also how do we calculate the effort required to perform an
annual
medical exam. The things which I think may be considered are the age
of the
patient, past history, etc.
But what else can be considered?
Any inputs would be highly appreciated.
Cheers
Crazy Doctor
============= End of Twisted message ==========================
WOULD YOU ACCEPT AND USE SERVICE FROM SUCH A DOCTOR?
Why is this acceptable in the Security Testing profession and why do
we see
this all the time?
I think before you offer service to clients you have to build the
service
first.
Hopefully the security testing world will mature quickly over time if
we
wish to even attempt to call ourselves PROFESSIONALS.
Best regards
Clement
While I do see your point - medical practice isn't necessarily the
thing you'd want to pick here. Medical practices differ greatly
across even industrialized countries. What tests are considered
routine, how often they should be administered, at what age, etc.
What variances are acceptable and at what point do we call in other
diagnostics that cost more, etc. These are topics that are actively
debated in the medical community as well.
A better example would be:
- Can someone tell me what should be done at a 30,000 mile checkup
for a 2006 Ford Focus?
Sure, we can pull out Ford's manual and tell you exactly.
Not sure you'll find a lot of other areas that are quite as cut and
dried. I'm not arguing that we couldn't get better at it, but you
might want to pick a better example because medicine isn't nearly as
cut and dried as you'd make it appear.
- Andy
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
