Another thing that might need to be discussed during the approval process is the disclosure of the results of the test to the web-hosting company. Someone is paying you to audit their services, but does the hosting company get this information for free? I did an audit of a web-based content delivery service that one of our departments wanted to use. They sent us an eval server and I broke into it fairly easy (RDS bug :) ). I wrote a detailed document for internal use stating all the security problems with their server. One of the managers of the project just emailed the entire doc to the company that provided the eval server. Basically, they got a nice detailed security audit for free. The problem is how do you have them fix all the bugs or justify to management that the security of the product or service sucks without providing free security consulting to all of your vendors? You are providing security awareness and potential increasing the company's security, but should you be doing it for free? We haven't really come up with a solution to the dilemma. How have others addressed this? Mike
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:27:28 PDT