Re: Pentester convicted..

[Christine Kronberg <seeker () shalla de>]

  Hiho,

> Hey there pen-testers, take this with a grain of salt, it just got me
> excited.  I am really interested in everyones opinion on the matter or
> corporate responsibility and ownership.
>
> <RANT>
> In an article posted to slashdot today
> (http://it.slashdot.org/article.pl?sid=06/05/10/112259&from=rss) a man
*snip*

  If I understand correctly the guy informed the customers about
  the the security problem? Not the "owner" of the problem?
  Although it seems that the company was aware that a problem exists.
  But giving this information out to the customers is definitely
  not the correct way to handle things.
  The company is acting irresponsible as well by not fixing the
  problem. Their opinion "he integrity of the system was impaired
  because a lot more people (customers) now knew that the system
  was insecure" is ridiculous. Once a security problem exists
  the integrity is impaired whether few know about it or it is
  known all over the world. One person is enough to compromise
  a system. Of course, on the risk side you can calculate that
  the more people know about the problem, the more likely it
  is that someone is exploiting it. But knowing about a problem
  betting on that none will notice is careless. Security by
  obscurity never works for long.
  And: Not the existence of security problems gives a company
  a bad reputation. The way they handle their problems does.

  Now to the pentesting side:
  As a pentester, I will not lay my (virtual) hands on any computer
  or application to explore/exploit it without a solid signed contract
  permitting me to do so.
  If I stumble over an odd behaving application by chance I may report
  to the responsible people that something is odd and asked them to
  fix it. I will not investigate any further unless a contract comes
  up my way.

  If I see that a reported problem still exists than this is bitter
  ... for the people who use that service. So what's about my
  responsibility? Am I responsible for the security of the customers
  because I know they are using a service that may impact their
  security somehow? Although I already notified the owner of the
  service that a problem exists? I don't think so. Although I
  admit it leaves me feeling uncomfortable.
  One thing one can try is to escalate the problem within that
  company. But telling to their customers directly? No, that's no
  way.
  So what's about the last way: going public instead of informing
  the victims directly? I think it depends on the problem and how
  it is presented. Making people aware of security problems is
  necessary. To keep information closed away is segregating the
  wrong people. It's difficult to find the right way.

  Cheers,

  Christine Kronberg.


--
Shalla Secure Services
http://www.shalla.de



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------