Re: What is your policy on customers particapating in a pen test?

From: Jonathan Rickman (jonathanat_private)
Date: Tue Jun 19 2001 - 14:47:04 PDT

  • Next message: Crist Clark: "Re: Identifying Machines"

    It's their system. As long as they agree to observe...hands free, I don't
    see a problem with it. It doesn't hurt to educate the customer either. I'm
    not saying you should hand over the source to your own in house tools,
    just that it goes a long way towards establishing a relationship with
    them. How much you share is obviously at your discretion. Remember, if you
    tell everyone everything you know...everyone will know more than you.
    There's a fine line between education of a customer and business suicide.
    You have to walk carefully along that line, or you could end up with a
    customer that thinks that since they sat in on one pen-test...they don't
    need you anymore. That might be their goal anyway. You have to be the
    judge of that.
    
    -- 
    Jonathan Rickman
    X Corps Security
    http://www.xcorps.net
    
    On Tue, 19 Jun 2001, Joe Klein wrote:
    
    > All:
    >
    > I am hearing customers request ( and some times demand ) that they be part of a
    > pen test.
    >
    > Currently, we offer the customer 4 - 8 hours of time to review findings and show
    > them what we did, to access there systems. But we do this after the pen test is
    > complete.
    >
    > I was wondering how other companies deal with this issue?
    >
    > J
    >
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:54:34 PDT