Re: [PEN-TEST] Penetration Testing Ethic

[Bill Pennington <billp () SUBDIMENSION COM>]

I can't speak for everyone but I work for a company that provides both
security services and fixes. It is in our best interest to do the job right
the first time. It really boils down to ethics but to pull punches with the
client means you are not going to be around very long as a business. It is
very simple. If you hire a company to perform a security audit you MUST have
a high degree of trust. Look for things like background checks on all
consultants and whom they have done work with before.


 I do not believe most people in the security field like fixing the same
problem over and over again, nor to any of us like leaving things in an
insecure state. We are a little wacked that way :-)


----- Original Message -----
From: J. Oquendo <intrusion () ENGINEER COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, September 13, 2000 4:33 PM
Subject: Re: Penetration Testing Ethic


> > > > >
> I have always had a problem with companies that not only perform the
security audit and make recommendations but perform the fixes as well... Is
it not in their interest to leave a few holes here and there so that their
report doesnt look so bare when they come back for repeat testing..
> > > > >
>
> Personally I feel this is what third party verification is all about. Why
would you want to depend solely on the output of one company?
> Shady businesses may deal this way but it would be more effective for a
company to be ethical upon the matter and as someone who is using these
services I say it should be there responsibility to check their credentials.
> Aside from this it would be more effective to report things entirely as it
establishes trust between the vendor and client, and as we all know security
changes so fast so there'll always likely be reasons to come back for future
business.
> Jesus Oquendo
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup