RE: What is your policy on customers particapating in a pen test?

From: Steve Hutchins (Steve.Hutchinsat_private)
Date: Sun Jun 24 2001 - 20:35:41 PDT

  • Next message: Firehoseat_private: "RE: Is ipchains -y secure enough?"

    > Can't disagree with this but strangely enough most companies get very very
    > twitchy when you'r looking to do a live unanounced pen-test on their
    > e-commerce site...
    How do you quantify most? Are you talking about most businesses or just
    the one's you come into contact with?
    
    Obviously there's not going to be any completely right answer to this.
    It pretty much comes down to what the customer wants in the first place.
    Common sense (and so should the agreement between parties) states that
    if a serious hole is found, then the customer should be informed asap.
    With the rest, it's debatable until the cows come home. If you view
    a pen test as an audit, it's intent is to produce a current status.
    If you have the customer fixing in parallel with the test, this is like
    trying to hit a moving target and will cause the test to take longer
    then planned (and possibly run out of the customers budget - although
    it never should), because you end up rerunning tests to validate your
    previous findings (instead or rerunning the test after the rectification
    work has been completed).
    When performing a test with a team, this complicates the test.
    
    On this point, I'd be interested in hearing other peoples methodology
    on team coordination and communication whilst doing a pen test.
    



    This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 21:40:07 PDT