Penetration Testing mailing list archives
[PEN-TEST] FW: Penetration Testing Ethic
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 13 Sep 2000 15:51:54 -0500
In the past, I know of many situations such as this one, but It all comes back to letting the pen-tester know that they are not the only one that is going to be used. This will usually make the pen-tester perform a complete fix-up if it's requested. Whenever I come back to a client site after a 6 month or year has lapsed, I will often find new holes anyway... Things have been discovered that weren't known about a year ago... Things may not have been upgraded... and some new things may have been installed which opens up some vulnerability. Trust me, an honest pen-tester usually has no problem finding a new hole after one year, and if they are asked why you didn't catch the problem last year, you will truly have a good answer. In reality, if someone comes in today, performs a pen-test and "fixes" my network, and comes back next year, saying they found that I was running bind-8.1.1 on my nameserver, and nothing's been done to my nameserver since the last pen-test... I, personally, will ask why the hell the tester did not find that last year! In general, letting the tester know "he/she is not the only one" will get their attention. Also, the tester should let at least one technical person supervise them if they are performing the tests on-site. If the tester is uncomfortable with this, there could be something wrong. Lust my $0.04 (and some info from past experiences) --Noah Dunker -----Original Message----- From: Mathew Bevan [mailto:listhandler () NTLWORLD COM] Sent: Wednesday, September 13, 2000 11:53 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Penetration Testing Ethic This follows on from the pen testing cost thread, Alexander Sarris raised the point about being sold repairs multiple times.. I have always had a problem with companies that not only perform the security audit and make recommendations but perform the fixes as well... Is it not in their interest to leave a few holes here and there so that their report doesnt look so bare when they come back for repeat testing.. Obviously this is and ethical issue and something I feel shouldnt happen, this operating on both sides of the fence situation.. What does everyone else feel about this? Mathew Bevan aka Kuji (RL 1994)
Current thread:
- [PEN-TEST] FW: Penetration Testing Ethic Dunker, Noah (Sep 13)