Penetration Testing mailing list archives
Re: What is your policy on customers particapating in a pen test?
From: "GBH" <gbh () maitland demon co uk>
Date: Tue, 19 Jun 2001 22:51:00 +0100
Can I ask you why you WOULDN'T let a client see what you'r doing? If you are competent, happy and methodical with the work that you do there should be no reason at all not to allow a client to watch a live pen test. Are we not all here to help "them", whoever they may be, become more secure, more aware and more alert to security risks?(and of course point out their massive security holes!) There is always this culture that people worry about their clients not asking them back because they've learnt how to do it themselves. At least by allowing them to watch what your doing they'll get a feel for how things are done by nasty l337 h4x0r types. It is VERY unlikely that any client would learn enough to attempt their own and if they do, great! You;ve just educated someone else how to test if their networks are secure. Thats a big plus in my view. The way I see it is let them watch, show them what you do and if you can involve them in the work. Let them justify in their minds your not going to kill their network(unless thats what your there for) and let them know the massive ammounts of money they're paying you is worth it and that you'r not just running a nmap scan. I see user education - either pure knowledge or even enthusing someone enough to show an interest a massive plus in what I do. As I said earlier, the more aware I can make people the more secure their system is likely to be. After all there are always FAR more people who have no interest and no clue than there ever will be on the other side of the fence, I'll never be out of work (I hope!) Thanks Gary ----- Original Message ----- From: "Joe Klein" <jsklein () mindspring com> To: <pen-test () securityfocus com> Sent: Tuesday, June 19, 2001 6:59 AM Subject: What is your policy on customers particapating in a pen test?
All: I am hearing customers request ( and some times demand ) that they be part
of a
pen test. Currently, we offer the customer 4 - 8 hours of time to review findings
and show
them what we did, to access there systems. But we do this after the pen
test is
complete. I was wondering how other companies deal with this issue? J
Current thread:
- Re: Blind IP spoofing portscan tool?, (continued)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 15)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 14)
- Re: Blind IP spoofing portscan tool? Chris Winter (Jun 14)
- RE: Blind IP spoofing portscan tool? Filipe Almeida (Jun 15)
- Re: Blind IP spoofing portscan tool? Alberto_Revelli (Jun 14)
- RE: Blind IP spoofing portscan tool? Yonatan Bokovza (Jun 14)
- RE: Blind IP spoofing portscan tool? thomas olofsson (Jun 18)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Bojan Zdrnja (Jun 25)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- RE: What is your policy on customers participating in a pen test? Dom De Vitto (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Gary Warner (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 21)