Penetration Testing mailing list archives
Re: Government Compliance
From: Diego Kellner <dkepler () gmail com>
Date: Thu, 16 Jun 2005 09:46:48 -0300
On 6/15/05, Dave <dave.anon () gmail com> wrote:
response to a question I had. I had asked for the definition the Department was adopting for penetration testing. The response I received was (scrubbed for anonymity):
Well, IMHO, you got what you asked for, not what you expected. Their definition of penetration testing is that there will be no penetration testings, but scanning and password cracking (which is what many big firms do, and I didn't expect the Government to be much different).
Ok, I have big problems with this. There are seperate and distinct requirements for maintaining password complexity, performing vuln scans, AND performing penetration testing. Any industry guideline or resource would never allow this "definition". Am I wrong? Am I over reacting?
Unless you were specifically hired to do penetration testings, you might just accept the fact that it's not a penetration testing what you'd be doing there. Otherwise, you might just wanna slam the door on your way out.
When I brought this up to my chain of command I was told "don't rock the boat". They fully admitted that they knew the definition to be incorrect in that it was not meeting the intent of the requirement, but that I should not say anything to rock the boat and just accept this.
Now, if there is a specific requirement that you do penetration testings, and no definition is provided in the requirement, I'm afraid the one encharged of making that definition is the one who rules.
Obviously, for ethical reasons, I am leaving the agency and the department. Feedback? Thoughts? -- Dave
IMHO, if you think you'll never be able to make the change inside AgencyX so that "penetration testings" become *penetration testings*, I understand your decision. Otherwise, you should try to make the change from the inside (not just for you, but also for AgencyX). Regards, Kepler
Current thread:
- Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
- Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
(Thread continues...)