Re: What is your policy on customers particapating in a pen test?

From: David Rosenthal (DRosentat_private)
Date: Wed Jun 20 2001 - 04:16:15 PDT

  • Next message: cdowns: "pcanywhere passwd capture"

    I am in the process of reviewing various proposals for a future A&P testing engagement at my organization.  I have specifically inquired about the possibility of "observing" the work of the pen-testers as they conduct their testing and all the vendors we are considering have agreed to this.  
    Speaking strictly as a potential "client" for this type of service, I feel strongly that the testing per se should be left to the experts (YOU), and we as clients should stay out of the way and let you do your jobs.  But again, I feel that observing the actions of the pen-testers as they are working is entirely appropriate.
    That's my 2 cents....
    
    David 
    
    >>> Joe Klein <jskleinat_private> 6/19/01 1:59:45 AM >>> 
    All: 
    
    I am hearing customers request ( and some times demand ) that they be part of a 
    pen test. 
    
    Currently, we offer the customer 4 - 8 hours of time to review findings and show 
    them what we did, to access there systems. But we do this after the pen test is 
    complete. 
    
    I was wondering how other companies deal with this issue? 
    
    J 
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 11:10:40 PDT