Hi,
any of you know if any 'standards' or accepted guidelines exist for a letter
or certification
of succesfull resistance to Penetration Testing/Vulnerability Assessment.
Customers often
demand to have a proof delivered by their Penetration Test service provider
to show to their
partners and customers.
The idea of course is not to disclose sensitive information but to briefly
describe
the environment tested and how - according to which methodologies and the
attack vectors
tested for.
Thanks in advance

I think http://www.isecom.org/osstmm/ might cover what you're looking
for

John

Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
Hi,

any of you know if any 'standards' or accepted guidelines exist for a
letter or certification
of succesfull resistance to Penetration Testing/Vulnerability Assessment.
Customers often
demand to have a proof delivered by their Penetration Test service provider
to show to their
partners and customers.

The idea of course is not to disclose sensitive information but to briefly
describe
the environment tested and how - according to which methodologies and the
attack vectors
tested for.

Thanks in advance

Tom Van de Wiele wrote:
I find the concept of giving someone a certificate for resisting a
penetration test very dangerous. Nothing can guarantee that after the
test (especially a blind penetration test) all vulnerabilities have
been found and identified.

It's all a matter of what the certificate attests to and how it
is interpreted.

I see nothing wrong with a statement affirming compliance with
consensus best practice, or acceptable resistance to the known,
relevant vulnerabilities on a certain date, etc.

This is by no means a guarantee of "safety" or "security," but
it might be a useful tool in establishing a disciplined approach
to risk.

Dubious analogy: my mechanic signs an inspection certificate that
says that the tire pressure, chain tension, steering, brakes, etc.
are in good condition on my motorcycle -- he's not promising that
I won't crash.

Usually, a detailled report is created in two version by the company
that does the pentest. version is the executive report which
states the conclussions and recommendations, one is the detailed
technical report of what was tested and why. I think this served as
enough proof for the customer, no?

Tom

7/13/05, blowfish 448 <blowfish448 (AT) hotmail (DOT) comwrote:

Tom, Ralph,

thanks for the input, and I totally agree. Should have been paying more
attention
to the wording I used. It's not so much providing a certificate of success,
here I
agree with your arguments, but rather an objective statement of penetration
testing
has been executed at a certain period in time on infrastructure X at
customer Y by
company Z. This so they can show to their customer base they take security
serious
and have undergone testing.

From my experience in the financial market customers and partners - e.g.
other banks -
of financial organisations asking for such proof is absolutely not so
uncommon.

Thanks

7/12/05, blowfish 448 <blowfish448 (AT) hotmail (DOT) comwrote:
Hi,

any of you know if any 'standards' or accepted guidelines exist for a
>letter
or certification
of succesfull resistance to Penetration Testing/Vulnerability
>Assessment.
Customers often
demand to have a proof delivered by their Penetration Test service
>provider
to show to their
partners and customers.

The idea of course is not to disclose sensitive information but to
>briefly
describe
the environment tested and how - according to which methodologies and
>the
attack vectors
tested for.
--
Thanks in advance
>
>
>

PGP SIGNED MESSAGE
Hash: SHA1

Isn;t the final report pentesters report what is being asked for here?(0)
are companies really hung up on and seeking gold stars to post in public
areas and at the bottom of stationary? Kinda like the certifications that
M$ got for NT back in the late 90's I guess, meaningless in any env other
then the single system they had tested

Thanks,

Ron DuFresne

(0) in most cases that pentesters report is likely to be backed with the
corp documentation showing how they mitigated the issues found during the
pentest. Afterall, few companeis should ever comeout of a thourough
penttest unscathed. So they document how they corrected what was
discerovered, and perhaps have another outside party verify the
'corrections'. but gold starts and report cards, or neat little
certificates in frames? <shakes his head>

Tue, 12 Jul 2005, John Kinsella wrote:

I think http://www.isecom.org/osstmm/ might cover what you're looking
for

John

Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
>Hi,
>>
>any of you know if any 'standards' or accepted guidelines exist for a
>letter or certification
>of succesfull resistance to Penetration Testing/Vulnerability Assessment.
>Customers often
>demand to have a proof delivered by their Penetration Test service provider
>to show to their
>partners and customers.
>>
>The idea of course is not to disclose sensitive information but to briefly
>describe
>the environment tested and how - according to which methodologies and the
>attack vectors
>tested for.
>>
>>
>Thanks in advance
>>
>>
>
- --

admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
PGP SIGNATURE
Version: GnuPG v1.2.4 (GNU/Linux)

6R+l1D8nti84/REfoUE5c=
=aHj2
PGP SIGNATURE

First off, I guess I read between the lines of blowfish's orig. post -
was trying to provide a seal of approval so to speak, saying that a
given pen test was conducted in a thorough manner by a respectable
source.

Did a quick review of the 2.1 docs, what I was thinking of isn't quite
a letter as you were looking for (that's done in 5 mins with a word
processor) but there's a seal and verbage on page 11 that "certifies"
to a degree what's been done.

What it comes down to, though, is if one follows the manual for the
pentest, and issues a thorough report following the templates - you
should end up with a fairly thick and useful document. At that point,
putting a signed page with a seal on it at the front should satisfy most
people.

btw, isecom guys - is dead, altho
linked to in a public document. tsk, tsk. :)

John

Wed, Jul 13, 2005 at 10:33:10AM +0200, blowfish 448 wrote:

Hi John,

I checked and in the current available SSTMM 2.1 version there is a
certain 'data sheet'
mentioned in the accreditation section. It says however in the document
that such data
sheet is only available in vs. 2.5 Which I could not trace back. After 2.1
the next one set
for release is 3.0. Do you know of such 2.5 version maybe?

Thanks


>From: John Kinsella <jlk (AT) thrashyour (DOT) com>
>Reply-To: John Kinsella <jlk (AT) thrashyour (DOT) com>
>To: blowfish 448 <blowfish448 (AT) hotmail (DOT) com>
>CC: pen-test (AT) securityfocus (DOT) com
>Subject: Re: Pentest Letter of Achievement/Certificate
>Date: Tue, 12 Jul 2005 19:29:43 -0700
>
>I think http://www.isecom.org/osstmm/ might cover what you're looking
>for
>
>John
>
Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
>Hi,
>>
>any of you know if any 'standards' or accepted guidelines exist for a
>letter or certification
>of succesfull resistance to Penetration Testing/Vulnerability
>Assessment.
>Customers often
>demand to have a proof delivered by their Penetration Test service
>provider
>to show to their
>partners and customers.
>>
>The idea of course is not to disclose sensitive information but to
>briefly
>describe
>the environment tested and how - according to which methodologies and
>the
>attack vectors
>tested for.
>>
>>
>Thanks in advance
>>
>>

The dubious part of certification of a network is a "snapshot" in
time. At the particular instance in time that a network or
application can be certified. As in an annual car inspection as
indicated in the latter part of the post. This goes for certain
organization attempting to "tag" their offering as secure during a
staging area prior to arriving and being installed within an
enterprise network. IT/Security admins alter a security policy
or a security rule that could possibly compromise the "security
tagging" or "security certification" all bets are off. So if we were
to return to the car inspection example, a car could pass inspection,
receive it's car inspection pass sticker, but the inspection pass
sticker could be compromised as soon as the car pulls away from the
inspecting garage, if a rock jumps up from the road and breaks the
headlight. Now, the car inspection "pass" is compromised.

At 02:27 PM 7/13/2005, Michael Sierchio wrote:
>Tom Van de Wiele wrote:
>>I find the concept of giving someone a certificate for resisting a
>>penetration test very dangerous. Nothing can guarantee that after the
>>test (especially a blind penetration test) all vulnerabilities have
>>been found and identified.
>
>It's all a matter of what the certificate attests to and how it
>is interpreted.
>
>I see nothing wrong with a statement affirming compliance with
>consensus best practice, or acceptable resistance to the known,
>relevant vulnerabilities on a certain date, etc.
>
>This is by no means a guarantee of "safety" or "security," but
>it might be a useful tool in establishing a disciplined approach
>to risk.
>
>Dubious analogy: my mechanic signs an inspection certificate that
>says that the tire pressure, chain tension, steering, brakes, etc.
>are in good condition on my motorcycle -- he's not promising that
>I won't crash.

Completely concur, but for some people ya just gotta put one of these on
there:

http://tinyurl.com/cqjzh

Kidding aside, I think the SSTMM is a good reference for alot of
people, and as a client I think I'd feel pretty confident that a good
job had been done if this methodology had been done with gusto by a
pentester I hired. The seal/letter's basically a gold star for those
who know, and a blinky light for the management. (ok I rank it
significantly higher than the MS NT thing, but ya get the idea,
hopefully)

John

Wed, Jul 13, 2005 at 05:26:20PM -0400, R. DuFresne wrote:
PGP SIGNED MESSAGE
Hash: SHA1

Isn;t the final report pentesters report what is being asked for here?(0)
are companies really hung up on and seeking gold stars to post in public
areas and at the bottom of stationary? Kinda like the certifications that
M$ got for NT back in the late 90's I guess, meaningless in any env other
then the single system they had tested

Thanks,

Ron DuFresne

(0) in most cases that pentesters report is likely to be backed with the
corp documentation showing how they mitigated the issues found during the
pentest. Afterall, few companeis should ever comeout of a thourough
penttest unscathed. So they document how they corrected what was
discerovered, and perhaps have another outside party verify the
'corrections'. but gold starts and report cards, or neat little
certificates in frames? <shakes his head>

Tue, 12 Jul 2005, John Kinsella wrote:

>I think http://www.isecom.org/osstmm/ might cover what you're looking
>for
>
>John
>
Tue, Jul 12, 2005 at 10:52:42PM +0200, blowfish 448 wrote:
>>Hi,
>>
>>any of you know if any 'standards' or accepted guidelines exist for a
>>letter or certification
>>of succesfull resistance to Penetration Testing/Vulnerability Assessment.
>>Customers often
>>demand to have a proof delivered by their Penetration Test service
>>provider
>>to show to their
>>partners and customers.
>>
>>The idea of course is not to disclose sensitive information but to briefly
>>describe
>>the environment tested and how - according to which methodologies and the
>>attack vectors
>>tested for.
>>
>>
>>Thanks in advance
>>
>>
>
- --

admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
PGP SIGNATURE
Version: GnuPG v1.2.4 (GNU/Linux)

6R+l1D8nti84/REfoUE5c=
=aHj2
PGP SIGNATURE

Hi,

Does anybody knows well known threats and vulnerabilities in the GPRS
system? We are working on a master thesis named how to deploy secure GPRS
network. we searched google but couldn't get enough information. We need
something new about GPRS threats.

Thank you very much for your help in advance

Ali Dinckan

7/14/05, dinckan (AT) uekae (DOT) tubitak.gov.tr <dinckan (AT) uekae (DOT) tubitak.gov.trwrote:
Hi,

Does anybody knows well known threats and vulnerabilities in the GPRS
system? We are working on a master thesis named how to deploy secure GPRS
network. we searched google but couldn't get enough information.

I'm sure these are on google but just some bookmarks I had:

Some good papers on GSM-GPRS deployment security and great
cryptanalysis writings for A5/1,2,3

Some good papers here too, one specifically for GPRS arch. security if
I remember right.

Could always try building a protocol fuzzer :-P afaik ethereal handles
at least GPRS-GTP

We need
something new about GPRS threats.

Thank you very much for your help in advance

Ali Dinckan

Goodluck,
Tebodell

7/15/05, dinckan (AT) uekae (DOT) tubitak.gov.tr <dinckan (AT) uekae (DOT) tubitak.gov.trwrote:
Hi,

Does anybody knows well known threats and vulnerabilities in the GPRS
system? We are working on a master thesis named how to deploy secure GPRS
network. we searched google but couldn't get enough information. We need
something new about GPRS threats.

If you want something new it's not well-known, is it? Sorry, just
nitpicking ;-)

Anyway, why not take a look at the papers by Ulrike Meyer and Susanne
Wetzel (one of them being "N THE IMPACT F GSM ENCRYPTIN AND
MAN-IN-THE-MIDDLE ATTACKS N THE SECURITY F INTERPERATING GSM/UMTS
NETWRKS"), from late 2004 IIRC. The issues were discussed in 3gpp and
there is an analysis available from www.3gpp.org, can't readily find
the link though.

In general you might want to take a look at the contributions to the
SA3 meetings, as SA3 is responsible for security issues in GSM and
UMTS. Quick googling turned up for instance
,
which contains several interesting references.

/Johan

Hello All,
Can you recomend a methodology to conduct a 'source code review' (
security review) of Portals(WLP8, commonPortal/cpDomain. etc)
regards
Manoj