Wednesday, December 19, 2007
Monday, December 17, 2007
Friday, December 14, 2007
Wednesday, December 12, 2007
Monday, December 10, 2007
Immunitysec ( A- )
We received a request directly from Dave Aitel to review his company, Immunity. We thought that this request was a bit odd as Immunity appears to be a Software Provider and not a Consultancy. We normally only review Professional Security Service Providers. At any rate, we decided to make good on the request and as such reviewed the Immunity website and placed a call into Immunity and spoke with Dave's wife (very nice, polite woman). Here's how we feel about Immunity.
Immunity is for all intents and purposes a Security Software company. They sell a very powerful tool called CANVAS, which is an advanced framework for penetration testing. CANVAS is particularly useful for Professional Security Service Providers (consultants) who perform penetration testing services. Other companies like Core Security compete with CANVAS. Core Security has another very powerful tool called Core Impact.
Immunity does have a software research and development team, or at least that is what we were told. The team does not release any advisories for any of the issues that they discover, and they only add the issues to CANVAS if they are discovered by a third party first. If not, it is our understanding that the issues remain 0-day and held by Immunity (or potentially sold to legitimate exploit brokers, but we don't know that for a fact.) We do know that Immunity will purchase vulnerability information from brokers. This information is mostly incorporated into CANVAS from what we understand.
One thing that we are fairly certain of is that Dave Aitel is a high talent individual. As a result we automagically assume that he surrounds himself with other high talent people. We couldn't picture Dave surrounded by idiots, it would drive him nuts. Anyway, we feel that its safe to say that Immunity has a very capable team with very advanced skills that could be very useful for performing Professional Security Services. Having said that, they really don't offer much in the way of Professional Security Services on their website... and we think we know why.
While talking to Dave's wife we secretly realized that it would be a conflict of interest for Immunity to offer Professional Security Services in conjunction with selling software used by Professional Security Service Providers. In short, if they offer Professional Security Services then most providers wouldn't buy their Professional Security Service testing software (CANVAS). On the other hand, if they sell the software and do not fully flaunt their services, then they'll probably make a good buck.
We think that is why the Immunity website is so focused on CANVAS and not on the offering of Consulting Services. There is a tab on their website that talks about their service offerings, but it is very, very, very, lame. The entire services page is literally one paragraph long. You can check it out here. With that said, we are certain that Dave has an A+ team that is very capable of offering seriously hardcore services... but we can't give them an A+.
One reason why we can't give them an A+ is because they are a software vendor and are not focused strictly on the offering of services. The other reason is because of the aforementioned conflict of interest, their technology is purchased by Service Providers. In conjunction with that they do not release advisories to the public, and their core focus is not protecting their customer networks, but instead is building CANVAS.
So, our opinion is that while we have a great amount of respect for Dave Aitel and the folks at Immunity, we need to be honest and give them a B. We think that their software is totally kick ass, we love reading Daily Dave, and we know that Dave could probably crack anything... but we just can't give Immunity an A.
Oh and hey... GO BUY CANVAS!!! We did and we love it!!
Score Card ( Click to Enlarge)
Immunity is for all intents and purposes a Security Software company. They sell a very powerful tool called CANVAS, which is an advanced framework for penetration testing. CANVAS is particularly useful for Professional Security Service Providers (consultants) who perform penetration testing services. Other companies like Core Security compete with CANVAS. Core Security has another very powerful tool called Core Impact.
Immunity does have a software research and development team, or at least that is what we were told. The team does not release any advisories for any of the issues that they discover, and they only add the issues to CANVAS if they are discovered by a third party first. If not, it is our understanding that the issues remain 0-day and held by Immunity (or potentially sold to legitimate exploit brokers, but we don't know that for a fact.) We do know that Immunity will purchase vulnerability information from brokers. This information is mostly incorporated into CANVAS from what we understand.
One thing that we are fairly certain of is that Dave Aitel is a high talent individual. As a result we automagically assume that he surrounds himself with other high talent people. We couldn't picture Dave surrounded by idiots, it would drive him nuts. Anyway, we feel that its safe to say that Immunity has a very capable team with very advanced skills that could be very useful for performing Professional Security Services. Having said that, they really don't offer much in the way of Professional Security Services on their website... and we think we know why.
While talking to Dave's wife we secretly realized that it would be a conflict of interest for Immunity to offer Professional Security Services in conjunction with selling software used by Professional Security Service Providers. In short, if they offer Professional Security Services then most providers wouldn't buy their Professional Security Service testing software (CANVAS). On the other hand, if they sell the software and do not fully flaunt their services, then they'll probably make a good buck.
We think that is why the Immunity website is so focused on CANVAS and not on the offering of Consulting Services. There is a tab on their website that talks about their service offerings, but it is very, very, very, lame. The entire services page is literally one paragraph long. You can check it out here. With that said, we are certain that Dave has an A+ team that is very capable of offering seriously hardcore services... but we can't give them an A+.
One reason why we can't give them an A+ is because they are a software vendor and are not focused strictly on the offering of services. The other reason is because of the aforementioned conflict of interest, their technology is purchased by Service Providers. In conjunction with that they do not release advisories to the public, and their core focus is not protecting their customer networks, but instead is building CANVAS.
So, our opinion is that while we have a great amount of respect for Dave Aitel and the folks at Immunity, we need to be honest and give them a B. We think that their software is totally kick ass, we love reading Daily Dave, and we know that Dave could probably crack anything... but we just can't give Immunity an A.
Oh and hey... GO BUY CANVAS!!! We did and we love it!!
Score Card ( Click to Enlarge)
Wednesday, December 5, 2007
Netragard ( F--- )
Netragard ("http://www.netragard.com") tries to be a Professional IT Security Services Provider that offers a wide range of services including by not limited to, Vulnerability Assessments, Penetration Tests, Web Application Assessments, Computer Forensics, etc. At first glance we were expecting to poke holes in Netragard because of their "Got Milk" like introductory page. Theirs reads "Got Hacked" and we thought it was a bit dorky. But we were certainly surprised. They are more "fluff" than anything! IN FACT.....
After further research, we also noticed that this "Security Review" site was built by Adriel Desautels himself. Kinda cool, eh? If you don't believe me, check the blog on his company web-site, http://snosoft.blogspot.com/ - Could you have at least used a different font or different Blog platform? Was business that tough that you had to start a blog and publicly humiliate people, their reputations and their livelihood Mr. Adriel T. Desautels?
After further research, we also noticed that this "Security Review" site was built by Adriel Desautels himself. Kinda cool, eh? If you don't believe me, check the blog on his company web-site, http://snosoft.blogspot.com/ - Could you have at least used a different font or different Blog platform? Was business that tough that you had to start a blog and publicly humiliate people, their reputations and their livelihood Mr. Adriel T. Desautels?
Perhaps it was the absolute "stellar" review you gave yourself, that gave yourself away?
We, the new and improved SECReview team would like to officially rename the SNOsoft team to BLOWsoft and formally apologize to the people and the companies that Adriel Desautels and David Morris insulted and defamed.
Please read these reviews from the mind of a jealous, manipulative and calculating competitor. Certainly not an unbiased third party that provides a community service to the public...
All of our researchers here at the new SECreview team are trying to determine if there is a Grade that is less than an F for this so-called company Netragard, since giving them an F- is still too nice!
Tuesday, December 4, 2007
Subscribe to:
Posts (Atom)
