How To Tell A Good Security Test Report From A Bad One

Suppose you had a penetration test, a vulnerability assessment, a security test, whatever it was called. (Different people would use different names for different kind of test). Now you have a report, and, apart from having to sort out the problems that were discovered, you want to know if the testers have done a good job.

This post should help you with that last one.

Warranty Void If Password Changed

Once, while doing an internal network vulnerability assessment, I asked the customer's security officer: "What is this Oracle server"?

"The one with all the default passwords?"


"Oh, it has been installed by a vendor. The vendor said that if we change any of the passwords, it will void our warranty. The legal are dealing with it now".


Snow White And Seven Firewalls

A soon to be former colleague of mine, Axel, once mentioned a conversation he had with a security officer at a customer site. Axel was describing an attack against their web application from the Internet. The guy said:

"No, it is not possible. There are seven firewalls between the Internet and the application. You can't get an exploit through that."

A lot of people seem to work under impression that firewalls are like magic charms. They make you safer just because you have them, and the more you've got, the better.

Why Gremwell?

I never thought that coming up with a name for a company will become a blocking point.

Of course, first we thought about naming it Bezroutchko & Bezroutchko (because it sounds great and it is easy to remember). Don't really know why we have abandoned this idea.

We wanted the name to indicate that it is something about computers (something with "bit", "byte" or "hex" in it). We also wanted a hint of magic (but not the word "magic" itself, because it is already in MagicTree). And we also wanted something like "works", "mill", "factory" or along those lines.


Subscribe to RSS - blogs