Penetration Testing mailing list archives
Re: [PEN-TEST] Penetration Testing Ethic
From: Bill Pennington <billp () SUBDIMENSION COM>
Date: Thu, 14 Sep 2000 08:42:39 -0700
I can't speak for everyone but I work for a company that provides both security services and fixes. It is in our best interest to do the job right the first time. It really boils down to ethics but to pull punches with the client means you are not going to be around very long as a business. It is very simple. If you hire a company to perform a security audit you MUST have a high degree of trust. Look for things like background checks on all consultants and whom they have done work with before. I do not believe most people in the security field like fixing the same problem over and over again, nor to any of us like leaving things in an insecure state. We are a little wacked that way :-) ----- Original Message ----- From: J. Oquendo <intrusion () ENGINEER COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, September 13, 2000 4:33 PM Subject: Re: Penetration Testing Ethic
I have always had a problem with companies that not only perform the
security audit and make recommendations but perform the fixes as well... Is it not in their interest to leave a few holes here and there so that their report doesnt look so bare when they come back for repeat testing..
Personally I feel this is what third party verification is all about. Why
would you want to depend solely on the output of one company?
Shady businesses may deal this way but it would be more effective for a
company to be ethical upon the matter and as someone who is using these services I say it should be there responsibility to check their credentials.
Aside from this it would be more effective to report things entirely as it
establishes trust between the vendor and client, and as we all know security changes so fast so there'll always likely be reasons to come back for future business.
Jesus Oquendo ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Re: [PEN-TEST] Penetration Testing Ethic J. Oquendo (Sep 14)
- Re: [PEN-TEST] Penetration Testing Ethic Bill Pennington (Sep 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Penetration Testing Ethic H Carvey (Sep 14)