> At last, someone with a common sense approach. > There's nothing wrong with the customer being there, > but if they want to watch closely, then they should > *PAY* for the training! I don't think anyone is advocating training clients for nothing but on the other hand I'd be seriously worried as a client if I could learn how to do a pen-test by looking over the testers shoulder for a few hours. As someone said elsewhere, pen-testing isnt rocket science but it still should require a fair bit of familarisation, training and all round IT skills before you could hope to perform an effective pen-test. > If they are asking for a realistic pen-test from the net, > then why should they get any warning about when it's > going to happen? They wouldn't normally get this from > an anonymous hacker. Can't disagree with this but strangely enough most companies get very very twitchy when you'r looking to do a live unanounced pen-test on their e-commerce site... > > If the customer watches you get onto a box, what's the > betting that they will stay all night patching all the > other similar boxes so you can't exploit them. Great! Thats an excellent thing to do isn't it? Pen testing should never be about "them" the client and "us" the pen tester. Suerly it should be about the pen-tester looking for vulnerabilities and help the client closing them as fast as is possible if thats what they want to do? This is especially so if the vulnerability is a serious one. As far as I am concerned the faster holes are closed the happier I am and if it cuts down on the number of vulnerabilities I find then good stuff. You would always remind any client that they must keep up with the latest security fixes but the worst its going to do is to skew the number of the holes you find in their systems. > > After the initial pen test has taken place and any > follow-on rectification work has taken place, they might > want a closer working relationship, but in forming this > relationship, you will probably be excluding your company > from the next anonymous test that they want. This alludes (I think!) back to what I said in my first post about companies wishing to protect future business by possibly not doing the "right" thing which may jepordise that. I'm happy to admit I'm not a bean counter, I'm there for my technical expertise and to help the client secure and maintain the security of their sites. As such I will do all I can to best achieve that while, of course, respecting my employers confidentiality (no giving out proprietry tools, no revealing internal papers and so on) but I don't believe this extends to trying to make my company more money by not giving the client the information that best fits their needs. This just perpetuates this whole air of secrecy that some security professionals like to encourage in order to spread the FUD. It may be damn good for the bottom line, but IMHO I think its somewhat immoral... Gary
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:08:05 PDT