> Can't disagree with this but strangely enough most companies get very very > twitchy when you'r looking to do a live unanounced pen-test on their > e-commerce site... How do you quantify most? Are you talking about most businesses or just the one's you come into contact with? Obviously there's not going to be any completely right answer to this. It pretty much comes down to what the customer wants in the first place. Common sense (and so should the agreement between parties) states that if a serious hole is found, then the customer should be informed asap. With the rest, it's debatable until the cows come home. If you view a pen test as an audit, it's intent is to produce a current status. If you have the customer fixing in parallel with the test, this is like trying to hit a moving target and will cause the test to take longer then planned (and possibly run out of the customers budget - although it never should), because you end up rerunning tests to validate your previous findings (instead or rerunning the test after the rectification work has been completed). When performing a test with a team, this complicates the test. On this point, I'd be interested in hearing other peoples methodology on team coordination and communication whilst doing a pen test.
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 21:40:07 PDT