Re: What is your policy on customers particapating in a pen test?

["James Chamier" <jc_security () ntlworld com>]

"Duquette, John" <john.duquette () eds com> wrote:
> I've noticed an increase in clients wanting to observe a pentest.  We
> don't prohibit this, naturally its not much fun to work with someone
> staring over your shoulder, but we always accommodate these requests.
>  The downside can be when a client interferes with the engagement.  I
> used to work for one of the big 5 and we had a client in "observing",
> fine.  The bad thing was he was watching what we were preparing to do
> and calling to his company so they could be extra prepared which
> naturally hurt the engagement.

I've worked on a couple of engagements where the customer was monitoring the engagement remotely and shutting down 
services that we discovered before we could exploit them.

Since then we've asked customers not to make any changes whilst the pen-test is underway, although I guess there is no 
way we can actually be 100% certain!?

> Education is always the desired result of an assessment but you want
> rules on what can/can't happen.  However, I would never allow a
> client to actually participate in the engagement, or turn over any
> applications/source for anything that we use.

I think clients should only be given the report, preferable in a non-modifiable form, such as PDF.

James