I am in the process of reviewing various proposals for a
future A&P testing engagement at my organization. I have specifically
inquired about the possibility of "observing" the work of the
pen-testers as they conduct their testing and all the vendors we are considering
have agreed to this.
Speaking strictly as a potential "client" for this
type of service, I feel strongly that the testing per se should be left to the
experts (YOU), and we as clients should stay out of the way and let you do your
jobs. But again, I feel that observing the actions of the pen-testers as
they are working is entirely appropriate.
That's my 2 cents....
David >>> Joe Klein <
jskleinat_private> 6/19/01
1:59:45 AM >>>
All:
I am hearing customers request ( and
some times demand ) that they be part of a
pen test.
Currently, we
offer the customer 4 - 8 hours of time to review findings and show
them what
we did, to access there systems. But we do this after the pen test is
complete.
I was wondering how other companies deal with this issue?
J