Penetration Testing mailing list archives
Re: Pentester convicted..
From: Christine Kronberg <seeker () shalla de>
Date: Thu, 11 May 2006 10:52:00 +0200 (CEST)
Hiho,
Hey there pen-testers, take this with a grain of salt, it just got me excited. I am really interested in everyones opinion on the matter or corporate responsibility and ownership. <RANT> In an article posted to slashdot today (http://it.slashdot.org/article.pl?sid=06/05/10/112259&from=rss) a man
*snip* If I understand correctly the guy informed the customers about the the security problem? Not the "owner" of the problem? Although it seems that the company was aware that a problem exists. But giving this information out to the customers is definitely not the correct way to handle things. The company is acting irresponsible as well by not fixing the problem. Their opinion "he integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure" is ridiculous. Once a security problem exists the integrity is impaired whether few know about it or it is known all over the world. One person is enough to compromise a system. Of course, on the risk side you can calculate that the more people know about the problem, the more likely it is that someone is exploiting it. But knowing about a problem betting on that none will notice is careless. Security by obscurity never works for long. And: Not the existence of security problems gives a company a bad reputation. The way they handle their problems does. Now to the pentesting side: As a pentester, I will not lay my (virtual) hands on any computer or application to explore/exploit it without a solid signed contract permitting me to do so. If I stumble over an odd behaving application by chance I may report to the responsible people that something is odd and asked them to fix it. I will not investigate any further unless a contract comes up my way. If I see that a reported problem still exists than this is bitter ... for the people who use that service. So what's about my responsibility? Am I responsible for the security of the customers because I know they are using a service that may impact their security somehow? Although I already notified the owner of the service that a problem exists? I don't think so. Although I admit it leaves me feeling uncomfortable. One thing one can try is to escalate the problem within that company. But telling to their customers directly? No, that's no way. So what's about the last way: going public instead of informing the victims directly? I think it depends on the problem and how it is presented. Making people aware of security problems is necessary. To keep information closed away is segregating the wrong people. It's difficult to find the right way. Cheers, Christine Kronberg. -- Shalla Secure Services http://www.shalla.de ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Re: Pentester convicted.., (continued)
- Re: Pentester convicted.. Jason Ross (May 11)
- Re: Pentester convicted.. John Kinsella (May 11)
- RE: Pentester convicted.. Sahir Hidayatullah (May 11)
- Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Michael Sierchio (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Dana (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Jeremiah Cornelius (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Dotzero (May 12)
- Re: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Paul Asadoorian (May 12)
- RE: Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Clement Dupuis (May 12)
- Get out of jail cards (Statement of work authorizing access, was Re: Pentester convicted..) Michael Sierchio (May 12)
- Re: Pentester convicted.. Dotzero (May 12)
- Re: Pentester convicted.. etropos (May 11)
- RE: Pentester convicted.. Shane Warner (May 11)
- RE: Pentester convicted.. Kluge (May 12)