I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard.
When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations.
Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!
Slashdot Mirror
I am sorry for all the people who had experience with bad auditors. Truth is that learning scanning software (ISS, Nessus, Harris Stat) etc. is fairly easy. Its the analysis part that is hard. When I do audits I go over every vulnerability found (by whatever particular scanner) with the client and we discuss each one to find out whether it is valid for their environment or not. Additionally, a post report should include a thourough analyis of all the finding not just a printout of the ISS report (which in my opinion is poor) and match these vulnerabilities with realistic mitigations. Just like in every field, there are bad people and there are really good people as well. I have met TONS of people recently who are in security because they heard it was hot field but even with the CISSP they don't know jack!!!