The start of an interesting series of blogs

Aug 22nd, 2007

Comments: 2
Category: Penetration Testing

The start of an interesting series of blogs

The Art of Scoping Application Security Reviews (Part 1) – The Business ォ Mark Curphey –
Mark Curphys starting a series of posts on application security review scoping, which should be interesting reading (although I imagine it may annoy some people in the industry ;o) )
In this one looking at the business aspects I particularly liked the bit about “Bling Bling or Bang Bang” It’s true to say that in a lot of cases the money spent getting consultants to write up reports could be better spent elsewhere, especially in cases where an internal team will be refomatting the output before presenting it to the business.
Also like some other people in the industry (Marcus Ranum being an example) Mark seems to have a flair for analogies. drawing the analogy from security assessment companies to the food industry was in many ways bang on.
There are “Chefs” out there, where you specifically want their services, not just those of the company they work for. That said I’m not sure any of the companies out there will want to be associated with being “food chains” !


  1. Mark Curphey August 23, 2007 at 7:47 am

    Glad you think the series might be interesting but not sure why they “might annoy some people in the industry” ?

  2. Rory August 23, 2007 at 10:12 am

    well as you say yourself in the post, some of the information you’re talking about isn’t necessarily widely known and whilst it’s not underhand at all more people understanding the nature of rate cards, where T&M is better or worse than fixed price for clients etc, may cause some sales people to have tougher conversations with clients… not that that’s necessarily a bad thing 🙂
    Also whilst I’m sure no reputable company would use bait and switch on a pen testing assignment I don’t imagine that companies that do, would want attention to be drawn to the fact ;o)

Add a comment

Your email address will not be shared or published. Required fields are marked *