Penetration Testing mailing list archives

Re: Penetration Testing Scheduling

From: Pete Herzog <lists () isecom org>
Date: Thu, 01 May 2008 20:21:47 +0200

Hi,

I just uploaded a little slide with graphic about test types from OSSTMM 3:http://www.isecom.org/Test_types.ISECOM.pdf

A thorough test is one where the auditor knows what is being tested and thetarget knows nothing of the test. This allows the auditor to test thetarget as completely as possible including the reactions of the staff. Theworst kind of test is the kind where the auditor knows nothing about thetarget and the target is aware of the test because this will only test theskill of the auditor and the ability of the target to move itself out of"harm's way".

What kind of test depends on what it is used for. If it is for the client'seducation of applied protection then do it however they want it to be donewhile explaining to them the value of a thorough audit. If it is for 3rdparty certification then you are obligated to do the best and most thoroughaudit the 3rd party needs. Ultimately, the client pays the bill and a goodcapitalist will do what fills the coffers. A good auditor however will dogood audits.


-pete.


Yousif () Vapt-Sec com wrote:

I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's 
clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker. I'm getting worthless comments from people telling me 
that I should always have permission before security testing, but keep in mind that everyone knows that, commentary like that is just useless. Now, to focus on the question, let's say 
both parties agree to fulfill the security testing, and the contracts have been signed, and the setup in general has been completed. To go on with your testing, do you let them know exactly 
a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to 
have a choice, but I'm looking more for the "right" thing to do..

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: Penetration Testing Scheduling Pete Herzog (May 01)
- Re: Penetration Testing Scheduling David Howe (May 02)