Penetration Testing mailing list archives
Re: What is your policy on customers particapating in a pen test?
From: "James Chamier" <jc_security () ntlworld com>
Date: Thu, 21 Jun 2001 22:19:06 +0100
"Duquette, John" <john.duquette () eds com> wrote:
I've noticed an increase in clients wanting to observe a pentest. We don't prohibit this, naturally its not much fun to work with someone staring over your shoulder, but we always accommodate these requests. The downside can be when a client interferes with the engagement. I used to work for one of the big 5 and we had a client in "observing", fine. The bad thing was he was watching what we were preparing to do and calling to his company so they could be extra prepared which naturally hurt the engagement.
I've worked on a couple of engagements where the customer was monitoring the engagement remotely and shutting down services that we discovered before we could exploit them. Since then we've asked customers not to make any changes whilst the pen-test is underway, although I guess there is no way we can actually be 100% certain!?
Education is always the desired result of an assessment but you want rules on what can/can't happen. However, I would never allow a client to actually participate in the engagement, or turn over any applications/source for anything that we use.
I think clients should only be given the report, preferable in a non-modifiable form, such as PDF. James
Current thread:
- RE: What is your policy on customers particapating in a pen test? Duquette, John (Jun 21)
- Re: What is your policy on customers particapating in a pen test? James Chamier (Jun 22)
- <Possible follow-ups>
- RE: What is your policy on customers particapating in a pen test? Steve Hutchins (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Steve Hutchins (Jun 24)
- RE: What is your policy on customers particapating in a pen test? Steve Hutchins (Jun 24)