Penetration Testing mailing list archives
Re: Penetration Testing Scheduling
From: Joey Peloquin <joeyp () cotse net>
Date: Wed, 30 Apr 2008 08:13:21 -0500
Yousif () Vapt-Sec com wrote:
We settle on the start date before the contract is signed, unless the client has a specific requirement that they shouldn't know when we begin (they almost never do). If we don't have a specific window for testing (e.g., 6p-6a), we start whenever we're ready on the agreed upon date, else, we generally kick it off at the beginning of the window.I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker. I'm getting worthless comments from people telling me that I should always have permission before security testing, but keep in mind that everyone knows that, commentary like that is just useless. Now, to focus on the question, let's say both parties agree to fulfill the security testing, and the contracts have been signed, and the setup in general has been completed. To go on with your testing, do you let them know exactly a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to have a choice, but I'm looking more for the "right" thing to do..
I used to be on the receiving end of PT services, and it was the same when I was the client. We'd negotiate an approximate start date, and the start time would fall somewhere within the "maintenance" window for testing.
-jp --"Companies will say, "We can Web 2.0ify your existing applications in 15 minutes - we've got a wrapper". These people are charlatans, and you should punch them in the face. They are taking your back-end database tiers and moving them to the perimeter." - Billy Hoffman, HPSW Security Labs
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
- Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
- Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
- Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)