That will come soon... On Thu, 20 Dec 2007 10:32:51 -0500 "guiness.stout" <[EMAIL PROTECTED]> wrote: >What kind of grading scale will you use? A through F or maybe a 1 >to >10 type scale? I am very interested in your services! > >On Dec 20, 2007 10:09 AM, Kurt Dillard <[EMAIL PROTECTED]> >wrote: >> >> >> >> >> Because its absurd to write a review for a service without >actually >> experiencing the service. The original poster's messages have >only had >> entertainment value, they've had no value from an information >security >> perspective. If you'd like to provide a link to your MSN profile >and >> facebook pages I'll write up a resume for you. Does that sound >like a good >> idea? >> >> >> >> >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of >Epic >> Sent: Thursday, December 20, 2007 11:56 AM >> To: c0redump >> Cc: [email protected] >> >> >> Subject: Re: [Full-disclosure] [Professional IT Security >Providers >> -Exposed] Cybertrust ( C + ) >> >> >> >> >> >> Isn't ANY review subjective to opinion? I do not understand >the basis of >> this flame. It appears to me that a lot of the reviews on this >site offer >> some great insight into the companies being presented. Granted >it is an >> opinion, but that is what a blog is isn't it? >> >> >> On 12/20/07, c0redump <[EMAIL PROTECTED]> wrote: >> >> Exactly. Your 'grading' is based on your personal opinion. >> >> Do us all a favour and get a proper job. >> >> ----- Original Message ----- >> From: "guiness.stout" <[EMAIL PROTECTED]> >> To: <[email protected] > >> Sent: Thursday, December 20, 2007 2:05 PM >> Subject: Re: [Full-disclosure] [Professional IT Security >Providers >> -Exposed] >> Cybertrust ( C + ) >> >> >> > I'm not really clear on how you are grading these companies. >I've had >> > no personal experience with them but I don't decide a >companies >> > quality of work simply by their website and what information >I get >> > from some customer support person. These "grades" seem >pointless and >> > frankly unfounded. You should reword your grading system to >specify >> > the ease of use of their websites and not the service they >provide. >> > Especially if you haven't ordered any services from them. >I'm not >> > defending anyone here just pointing out some flaws in this >"grading." >> > >> > On Dec 20, 2007 12:11 AM, secreview <[EMAIL PROTECTED]> >wrote: >> >> One of our readers made a request that we review Cybertrust >> >> ("http://www.cybertrust.com";). Cybertrust was recently >acquired by >> >> Verizon >> >> and as a result this review was a bit more complicated and >required a >> lot >> >> more digging to complete (In fact its now Cybertrust and >Netsec). Never >> >> the >> >> less, we managed to dig information specific to Cybertrust >out of >> Verizon >> >> representatives. We would tell you that we used the website >for >> >> information >> >> collection, but in all reality the website was useless. Not >only was it >> >> horribly written and full of marketing fluff, but the >services were not >> >> clearly defined. >> >> >> >> As an example, when you view the Cybertrust services in >their drop down >> >> menu >> >> you are presented with the following service offerings: >Application >> >> Security, Assessments, Certification, Compliance/Governance, >Consulting, >> >> Enterprise Security, Identity Management Investigative >Response >> >> /Forensics, >> >> Managed Security Services, Partner Security Program Security >Management >> >> Program, and SSL Certificates. The first thing you think is >"what the >> >> hell?" >> >> the second is "ok so they offer 12 services". >> >> >> >> Well as you dig into each service you quickly find out that >they do not >> >> offer 12 services, but instead they have 12 links to 12 >different pages >> >> full >> >> of marketing fluff. As you read each of the pages in an >attempt to wrap >> >> your >> >> mind around what they are offering as individually packaged >services >> >> you're >> >> left with more questions than answers. So again, what the >hell? >> >> >> >> Here's an example. Their "Application Security" service page >does not >> >> contain a description about a Web Application Security >service. In fact, >> >> it >> >> doesn't even contain a description about a System >Software/Application >> >> security service. Instead it contains a super high level, >super vague >> and >> >> fluffy description that covers a really general idea of >"Application" >> >> security services. When you really read into it you find out >that their >> >> Application Security service should be broken down into >multiple >> >> different >> >> defined service offerings. >> >> >> >> Even more frustrating is that their Application Security >service is a >> >> consulting service and that they have a separate service >offering called >> >> Consulting. When you read the description for Consulting, it >is also >> >> vague >> >> and mostly useless, but does cover the "potential" for >Application >> >> Security. >> >> >> >> So, trying to learn anything about Cybertrust from their web >page is >> like >> >> trying to pull teeth out of a possessed chicken. We decided >that we >> would >> >> move on and call Cybertrust to see what we could get out of >them with a >> >> conversation. That proved to be a real pain in the ass too >as their >> >> website >> >> doesn't list any telephone numbers. We ended up calling >verizon and >> after >> >> talking to 4 people we finally found a Cybertrust >representative. >> >> >> >> At last, a human being that could provide us with useful >information and >> >> answers to our questions about their services. We did >receive about 2mb >> >> of >> >> materials from our contact at Cybertrust, but the materials >were all >> >> marketing fluff, totally useless. That being said, our >conversation with >> >> the >> >> representative gave us a very clear understanding of how >Cybertrust >> >> delivers >> >> there services. In all honesty, we were not all that >impressed. >> >> >> >> Cybertrust does perform their own Vulnerability Research and >Development >> >> (or >> >> so we were told) under the umbrella of ICSAlabs which they >own. Usually >> >> we'd >> >> say that this is great because that research is often used >to augment >> >> services and enhance overall service quality. With respect >to >> Cybertrust, >> >> we >> >> couldn't find out what they were doing with their research. >They just >> >> told >> >> us that they don't release advisories and then refused to >tell us what >> >> they >> >> did with the research. >> >> >> >> When we asked them about their services and testing >methodologies, we >> >> were >> >> first told that they couldn't discuss that. We were told >that their >> >> methodologies were confidential. But after a bit of Social >Engineering >> >> and >> >> sweet talking we were able to get more information... >> >> >> >> As it turns out, the majority of the Cybertrust services >rely on what >> >> they >> >> say are proprietary automated scanners which were developed >in-house. >> >> Their >> >> methodology is to run the automated scanners against a >specific target >> or >> >> set of targets, and then to pass the results to a seasoned >professional. >> >> That professional then verifies the results via manual >testing and >> >> produces >> >> a report that contains the vetted results. >> >> >> >> This methodology doesn't really offer any depth and doesn't >do much to >> >> raise >> >> the proverbial security bar. In fact, it is only slightly >better than >> >> running a Qualys scan, changing the wording of the report, >and >> delivering >> >> that. Quality methodologies should contain no more than 20% >automated >> >> testing and no less than 80% manual testing. Vulnerability >discovery >> >> should >> >> be done via manual testing, not just via automated testing. >> >> >> >> In defense of Cybertrust, they did say that they would test >in >> accordance >> >> with the customers requirements. They also did say that if >the customer >> >> wanted 100% manual testing that they would do it. If they >want 100% >> >> automated "rubber stamp of approval" testing they would do >that too. >> >> Saying >> >> it is a lot different than doing it though and we weren't >impressed with >> >> their standard/default testing methodology as previously >mentioned. >> >> >> >> It is important to note that Cybertrust is also a full >service security >> >> provider. They offer a wide range of services from >supporting secure >> >> product >> >> development services, to security testing, and even forensic >services. >> >> With >> >> that said, their services do not seem to be anything >special. In fact, >> >> they >> >> seem to be just about average short of their horrible >website and >> >> overwhelming marketing fluff. >> >> >> >> It is our recommendation that you choose a different >provider if you are >> >> looking for well defined, high quality services. Cybertrust >is cloaked >> in >> >> a >> >> thick layer of marketing fluff and frankly doesn't seem to >be very easy >> >> to >> >> work with. That being said, they were also not easy to >review. If you >> >> disagree with this post or have worked with Cybertrust in >the past, then >> >> please leave us a comment. We're going to give Cybertrust a >"C" but if >> >> you >> >> can convince us that they deserve a different grade then >we'll revise >> our >> >> opinion. >> >> >> >> Thanks for reading. >> >> >> >> -- >> >> Posted By secreview to Professional IT Security Providers - >Exposed at >> >> 12/19/2007 07:32:00 PM >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Regards, The Secreview Team http://secreview.blogspot.com Professional IT Security Service Providers - Exposed
-- Linux Training - Click here. http://tagline.hushmail.com/fc/Ioyw6h4dF6kmUQwjvkBnduLDmZdXT6KNdqY1JdKtqcR8b3Froa1dNG/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
