Exactly. Your 'grading' is based on your personal opinion. Do us all a favour and get a proper job.
----- Original Message ----- From: "guiness.stout" <[EMAIL PROTECTED]> To: <full-disclosure@lists.grok.org.uk> Sent: Thursday, December 20, 2007 2:05 PM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + ) > I'm not really clear on how you are grading these companies. I've had > no personal experience with them but I don't decide a companies > quality of work simply by their website and what information I get > from some customer support person. These "grades" seem pointless and > frankly unfounded. You should reword your grading system to specify > the ease of use of their websites and not the service they provide. > Especially if you haven't ordered any services from them. I'm not > defending anyone here just pointing out some flaws in this "grading." > > On Dec 20, 2007 12:11 AM, secreview <[EMAIL PROTECTED]> wrote: >> One of our readers made a request that we review Cybertrust >> ("http://www.cybertrust.com"). Cybertrust was recently acquired by >> Verizon >> and as a result this review was a bit more complicated and required a lot >> more digging to complete (In fact its now Cybertrust and Netsec). Never >> the >> less, we managed to dig information specific to Cybertrust out of Verizon >> representatives. We would tell you that we used the website for >> information >> collection, but in all reality the website was useless. Not only was it >> horribly written and full of marketing fluff, but the services were not >> clearly defined. >> >> As an example, when you view the Cybertrust services in their drop down >> menu >> you are presented with the following service offerings: Application >> Security, Assessments, Certification, Compliance/Governance, Consulting, >> Enterprise Security, Identity Management Investigative Response >> /Forensics, >> Managed Security Services, Partner Security Program Security Management >> Program, and SSL Certificates. The first thing you think is "what the >> hell?" >> the second is "ok so they offer 12 services". >> >> Well as you dig into each service you quickly find out that they do not >> offer 12 services, but instead they have 12 links to 12 different pages >> full >> of marketing fluff. As you read each of the pages in an attempt to wrap >> your >> mind around what they are offering as individually packaged services >> you're >> left with more questions than answers. So again, what the hell? >> >> Here's an example. Their "Application Security" service page does not >> contain a description about a Web Application Security service. In fact, >> it >> doesn't even contain a description about a System Software/Application >> security service. Instead it contains a super high level, super vague and >> fluffy description that covers a really general idea of "Application" >> security services. When you really read into it you find out that their >> Application Security service should be broken down into multiple >> different >> defined service offerings. >> >> Even more frustrating is that their Application Security service is a >> consulting service and that they have a separate service offering called >> Consulting. When you read the description for Consulting, it is also >> vague >> and mostly useless, but does cover the "potential" for Application >> Security. >> >> So, trying to learn anything about Cybertrust from their web page is like >> trying to pull teeth out of a possessed chicken. We decided that we would >> move on and call Cybertrust to see what we could get out of them with a >> conversation. That proved to be a real pain in the ass too as their >> website >> doesn't list any telephone numbers. We ended up calling verizon and after >> talking to 4 people we finally found a Cybertrust representative. >> >> At last, a human being that could provide us with useful information and >> answers to our questions about their services. We did receive about 2mb >> of >> materials from our contact at Cybertrust, but the materials were all >> marketing fluff, totally useless. That being said, our conversation with >> the >> representative gave us a very clear understanding of how Cybertrust >> delivers >> there services. In all honesty, we were not all that impressed. >> >> Cybertrust does perform their own Vulnerability Research and Development >> (or >> so we were told) under the umbrella of ICSAlabs which they own. Usually >> we'd >> say that this is great because that research is often used to augment >> services and enhance overall service quality. With respect to Cybertrust, >> we >> couldn't find out what they were doing with their research. They just >> told >> us that they don't release advisories and then refused to tell us what >> they >> did with the research. >> >> When we asked them about their services and testing methodologies, we >> were >> first told that they couldn't discuss that. We were told that their >> methodologies were confidential. But after a bit of Social Engineering >> and >> sweet talking we were able to get more information... >> >> As it turns out, the majority of the Cybertrust services rely on what >> they >> say are proprietary automated scanners which were developed in-house. >> Their >> methodology is to run the automated scanners against a specific target or >> set of targets, and then to pass the results to a seasoned professional. >> That professional then verifies the results via manual testing and >> produces >> a report that contains the vetted results. >> >> This methodology doesn't really offer any depth and doesn't do much to >> raise >> the proverbial security bar. In fact, it is only slightly better than >> running a Qualys scan, changing the wording of the report, and delivering >> that. Quality methodologies should contain no more than 20% automated >> testing and no less than 80% manual testing. Vulnerability discovery >> should >> be done via manual testing, not just via automated testing. >> >> In defense of Cybertrust, they did say that they would test in accordance >> with the customers requirements. They also did say that if the customer >> wanted 100% manual testing that they would do it. If they want 100% >> automated "rubber stamp of approval" testing they would do that too. >> Saying >> it is a lot different than doing it though and we weren't impressed with >> their standard/default testing methodology as previously mentioned. >> >> It is important to note that Cybertrust is also a full service security >> provider. They offer a wide range of services from supporting secure >> product >> development services, to security testing, and even forensic services. >> With >> that said, their services do not seem to be anything special. In fact, >> they >> seem to be just about average short of their horrible website and >> overwhelming marketing fluff. >> >> It is our recommendation that you choose a different provider if you are >> looking for well defined, high quality services. Cybertrust is cloaked in >> a >> thick layer of marketing fluff and frankly doesn't seem to be very easy >> to >> work with. That being said, they were also not easy to review. If you >> disagree with this post or have worked with Cybertrust in the past, then >> please leave us a comment. We're going to give Cybertrust a "C" but if >> you >> can convince us that they deserve a different grade then we'll revise our >> opinion. >> >> Thanks for reading. >> >> -- >> Posted By secreview to Professional IT Security Providers - Exposed at
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/