More information about the Underscore mailing list

[_] Pen-testing

Craig Francis craig at craigfrancis.co.uk
Fri Aug 5 11:11:32 BST 2016

On 5 Aug 2016, at 10:40, Wilkes, Matthew <matt at matthewwilkes.name> wrote:
> ... most pentesting is a liability shift exercise. Code review won't help with that.



Meh, and here was I thinking we wanted to create secure websites :-P

Oh, look at that, 3% of the Alexa top 1 million websites are implementing Strict-Transport-Security, and we still have less than 1% implementing any kind of Content-Security-Policy (most of which use "unsafe-inline").

Grumble, grumble...



https://scotthelme.co.uk/alexa-top-1-million-crawl-aug-2016/






> On 5 Aug 2016, at 10:40, Wilkes, Matthew <matt at matthewwilkes.name> wrote:
> 
> I've done that kind of thing for a few clients. We generally sell it as
> security-focussed code review, rather than pentesting. It certainly has its
> place, and I'd argue that you get better value for money than you would
> getting an automated test from someone like NCC, but most pentesting is a
> liability shift exercise. Code review won't help with that.
> 
> Matt
> 
> On Fri, Aug 5, 2016 at 10:00 AM, Craig Francis <craig at craigfrancis.co.uk>
> wrote:
> 
>> Out of interest, has anyone had a test which involved the testers looking
>> at the source code?
>> 
>> It seems that all my testers just used an automated tool, with one
>> exception who did a quick manual check as well (as in, they opened Chrome
>> Dev Tools to double check the CSRF validation).
>> 
>> Craig
>> 
>> 
>> 
>> 
>> 
>>> On 5 Aug 2016, at 09:09, Alex Martin <alex at wearehalo.co.uk> wrote:
>>> 
>>> Thanks Peter, will give them a shout.
>>> 
>>> Alex
>>> 
>>> 
>>> 
>>>> 
>>>>> Can anyone recommend companies to carry out independent pen-testing on
>> our sites/environments? Usually fairly standard LAMP stuff (lots of
>> Drupal). Have successfully used Nettitude in the past, but would be good to
>> know some other providers.
>>>> 
>>>> Think this lot were used by our clients to check over some e-commerce
>> sites we'd done: https://www.nccgroup.trust/uk/
>>>> 
>>>> 
>>>> Peter Marshall
>>>> 
>>> 
>>> --
>>> underscore_ list info/archive -> http://www.under-score.org.uk/
>> mailman/listinfo/underscore
>> 
>> --
>> underscore_ list info/archive -> http://www.under-score.org.uk/
>> mailman/listinfo/underscore
>> 
> -- 
> underscore_ list info/archive -> http://www.under-score.org.uk/mailman/listinfo/underscore