It's their system. As long as they agree to observe...hands free, I don't see a problem with it. It doesn't hurt to educate the customer either. I'm not saying you should hand over the source to your own in house tools, just that it goes a long way towards establishing a relationship with them. How much you share is obviously at your discretion. Remember, if you tell everyone everything you know...everyone will know more than you. There's a fine line between education of a customer and business suicide. You have to walk carefully along that line, or you could end up with a customer that thinks that since they sat in on one pen-test...they don't need you anymore. That might be their goal anyway. You have to be the judge of that. -- Jonathan Rickman X Corps Security http://www.xcorps.net On Tue, 19 Jun 2001, Joe Klein wrote: > All: > > I am hearing customers request ( and some times demand ) that they be part of a > pen test. > > Currently, we offer the customer 4 - 8 hours of time to review findings and show > them what we did, to access there systems. But we do this after the pen test is > complete. > > I was wondering how other companies deal with this issue? > > J > > > >
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:54:34 PDT