> - Advising that testing was limited and that undetected weaknesses may > remain, although partly opinion, is NOT assuming any risk. On the contrary > it is a comparatively weak, but very useful, form of disclaimer that shows > the limits of the work done. Say it every time it is true. (A real > disclaimer essentially says the you cannot be held liable for anything, not > even if the work you did was useless or misleading. Unpleasant but true, > look at any software User Agreement) In reality, no pen test that I've ever seen can really make much of a statement about the security of a system. This is because (a) your results only reflect defects that are known today, and new ones will be found and exploits developed tomorrow, and (b) your results only apply to the configuration of the system at the time of the test. Any simple change, even as much as adding a single user, invalidates your testing. We put an extensive disclaimer explaining this in our contracts. The value in the pen test is finding open doors. A 3-hour test is going to have limited results in any event; it can only tell you that some of the more obvious, well-known doors are closed. You simply don't have enough time to conduct a thorough test. sc --
This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 10:00:58 PDT