Yes, a blog is an opinion, typically. And a blog that reviews a product, <b>tried the product.</b> Seriously, find a blog that reviewed a product without actually trying it, but almost purely by looking at the marketing material on the product.
<br><br>That's an incredibly fundamental difference which makes these reviews pretty much worthless.<br><br>If you had a product you were selling, would you want someone to review it without even trying it?<br><br><br>
<br><div class="gmail_quote">On Dec 20, 2007 7:55 AM, Epic <<a href="mailto:epic@hack3r.com">epic@hack3r.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Isn't ANY review subjective to opinion? I do not understand the basis of this flame. It appears to me that a lot of the reviews on this site offer some great insight into the companies being presented. Granted it is an opinion, but that is what a blog is isn't it?
<div><div></div><div class="Wj3C7c"><br><br>
<div><span class="gmail_quote">On 12/20/07, <b class="gmail_sendername">c0redump</b> <<a href="mailto:c0redump@ackers.org.uk" target="_blank">c0redump@ackers.org.uk</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">Exactly. Your 'grading' is based on your personal opinion.<br><br>Do us all a favour and get a proper job.
<br><br>----- Original Message -----<br>From: "guiness.stout" <<a href="mailto:guinness.stout@gmail.com" target="_blank">guinness.stout@gmail.com</a>><br>To: <<a href="mailto:full-disclosure@lists.grok.org.uk" target="_blank">
full-disclosure@lists.grok.org.uk
</a>><br>Sent: Thursday, December 20, 2007 2:05 PM<br>Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]<br>Cybertrust ( C + )<br><br><br>> I'm not really clear on how you are grading these companies. I've had
<br>> no personal experience with them but I don't decide a companies<br>> quality of work simply by their website and what information I get<br>> from some customer support person. These "grades" seem pointless and
<br>> frankly unfounded. You should reword your grading system to specify<br>> the ease of use of their websites and not the service they provide.<br>> Especially if you haven't ordered any services from them. I'm not
<br>> defending anyone here just pointing out some flaws in this "grading."<br>><br>> On Dec 20, 2007 12:11 AM, secreview <<a href="mailto:secreview@hushmail.com" target="_blank">secreview@hushmail.com
</a>> wrote:
<br>>> One of our readers made a request that we review Cybertrust<br>>> ("<a href="http://www.cybertrust.com" target="_blank">http://www.cybertrust.com</a>"). Cybertrust was recently acquired by<br>
>> Verizon
<br>>> and as a result this review was a bit more complicated and required a lot<br>>> more digging to complete (In fact its now Cybertrust and Netsec). Never<br>>> the<br>>> less, we managed to dig information specific to Cybertrust out of Verizon
<br>>> representatives. We would tell you that we used the website for<br>>> information<br>>> collection, but in all reality the website was useless. Not only was it<br>>> horribly written and full of marketing fluff, but the services were not
<br>>> clearly defined.<br>>><br>>> As an example, when you view the Cybertrust services in their drop down<br>>> menu<br>>> you are presented with the following service offerings: Application
<br>>> Security, Assessments, Certification, Compliance/Governance, Consulting,<br>>> Enterprise Security, Identity Management Investigative Response<br>>> /Forensics,<br>>> Managed Security Services, Partner Security Program Security Management
<br>>> Program, and SSL Certificates. The first thing you think is "what the<br>>> hell?"<br>>> the second is "ok so they offer 12 services".<br>>><br>>> Well as you dig into each service you quickly find out that they do not
<br>>> offer 12 services, but instead they have 12 links to 12 different pages<br>>> full<br>>> of marketing fluff. As you read each of the pages in an attempt to wrap<br>>> your<br>>> mind around what they are offering as individually packaged services
<br>>> you're<br>>> left with more questions than answers. So again, what the hell?<br>>><br>>> Here's an example. Their "Application Security" service page does not<br>>> contain a description about a Web Application Security service. In fact,
<br>>> it<br>>> doesn't even contain a description about a System Software/Application<br>>> security service. Instead it contains a super high level, super vague and<br>>> fluffy description that covers a really general idea of "Application"
<br>>> security services. When you really read into it you find out that their<br>>> Application Security service should be broken down into multiple<br>>> different<br>>> defined service offerings.
<br>>><br>>> Even more frustrating is that their Application Security service is a<br>>> consulting service and that they have a separate service offering called<br>>> Consulting. When you read the description for Consulting, it is also
<br>>> vague<br>>> and mostly useless, but does cover the "potential" for Application<br>>> Security.<br>>><br>>> So, trying to learn anything about Cybertrust from their web page is like
<br>>> trying to pull teeth out of a possessed chicken. We decided that we would<br>>> move on and call Cybertrust to see what we could get out of them with a<br>>> conversation. That proved to be a real pain in the ass too as their
<br>>> website<br>>> doesn't list any telephone numbers. We ended up calling verizon and after<br>>> talking to 4 people we finally found a Cybertrust representative.<br>>><br>>> At last, a human being that could provide us with useful information and
<br>>> answers to our questions about their services. We did receive about 2mb<br>>> of<br>>> materials from our contact at Cybertrust, but the materials were all<br>>> marketing fluff, totally useless. That being said, our conversation with
<br>>> the<br>>> representative gave us a very clear understanding of how Cybertrust<br>>> delivers<br>>> there services. In all honesty, we were not all that impressed.<br>>><br>>> Cybertrust does perform their own Vulnerability Research and Development
<br>>> (or<br>>> so we were told) under the umbrella of ICSAlabs which they own. Usually<br>>> we'd<br>>> say that this is great because that research is often used to augment<br>>> services and enhance overall service quality. With respect to Cybertrust,
<br>>> we<br>>> couldn't find out what they were doing with their research. They just<br>>> told<br>>> us that they don't release advisories and then refused to tell us what<br>>> they
<br>>> did with the research.<br>>><br>>> When we asked them about their services and testing methodologies, we<br>>> were<br>>> first told that they couldn't discuss that. We were told that their
<br>>> methodologies were confidential. But after a bit of Social Engineering<br>>> and<br>>> sweet talking we were able to get more information...<br>>><br>>> As it turns out, the majority of the Cybertrust services rely on what
<br>>> they<br>>> say are proprietary automated scanners which were developed in-house.<br>>> Their<br>>> methodology is to run the automated scanners against a specific target or<br>>> set of targets, and then to pass the results to a seasoned professional.
<br>>> That professional then verifies the results via manual testing and<br>>> produces<br>>> a report that contains the vetted results.<br>>><br>>> This methodology doesn't really offer any depth and doesn't do much to
<br>>> raise<br>>> the proverbial security bar. In fact, it is only slightly better than<br>>> running a Qualys scan, changing the wording of the report, and delivering<br>>> that. Quality methodologies should contain no more than 20% automated
<br>>> testing and no less than 80% manual testing. Vulnerability discovery<br>>> should<br>>> be done via manual testing, not just via automated testing.<br>>><br>>> In defense of Cybertrust, they did say that they would test in accordance
<br>>> with the customers requirements. They also did say that if the customer<br>>> wanted 100% manual testing that they would do it. If they want 100%<br>>> automated "rubber stamp of approval" testing they would do that too.
<br>>> Saying<br>>> it is a lot different than doing it though and we weren't impressed with<br>>> their standard/default testing methodology as previously mentioned.<br>>><br>>> It is important to note that Cybertrust is also a full service security
<br>>> provider. They offer a wide range of services from supporting secure<br>>> product<br>>> development services, to security testing, and even forensic services.<br>>> With<br>>> that said, their services do not seem to be anything special. In fact,
<br>>> they<br>>> seem to be just about average short of their horrible website and<br>>> overwhelming marketing fluff.<br>>><br>>> It is our recommendation that you choose a different provider if you are
<br>>> looking for well defined, high quality services. Cybertrust is cloaked in<br>>> a<br>>> thick layer of marketing fluff and frankly doesn't seem to be very easy<br>>> to<br>>> work with. That being said, they were also not easy to review. If you
<br>>> disagree with this post or have worked with Cybertrust in the past, then<br>>> please leave us a comment. We're going to give Cybertrust a "C" but if<br>>> you<br>>> can convince us that they deserve a different grade then we'll revise our
<br>>> opinion.<br>>><br>>> Thanks for reading.<br>>><br>>> --<br>>> Posted By secreview to Professional IT Security Providers - Exposed at<br>>> 12/19/2007 07:32:00 PM<br>>> _______________________________________________
<br>>> Full-Disclosure - We believe in it.<br>>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>>> Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>>><br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>><br>><br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">
http://secunia.com/</a><br></blockquote></div><br>
</div></div><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>