Penetration Testing mailing list archives
Re: White box pentesting
From: Joey Peloquin <joeyp () cotse net>
Date: Thu, 02 Oct 2008 14:45:32 -0500
Zack Payton wrote:
> In my experience, companies usually already know that physical security and susceptibility to social engineering are their weak spots, and aren't interested in paying us to tell them what they already know.But at the same time, things like white hat phishing campaigns against staff can be an easy way to measure the effectiveness of security awareness training... Clients like get some metrics regarding the effectiveness of security training. It helps the suits to know where to spend their money.
Don't get me wrong, I'm not arguing against the necessity and validity of these kinds of tests, but rather explaining that *we* aren't normally successful in getting the client to include them in the scope. We offer every single time, and recommend they include the tests for the very reasons you give.
Maybe 1 in 15 or 20 take us up on it. Far too few IMO. ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: White box pentesting Joey Peloquin (Oct 01)
- Message not available
- Re: White box pentesting Joey Peloquin (Oct 02)
- Message not available
- <Possible follow-ups>
- Re: White box pentesting Martin Zember (Oct 01)
- RE: White box pentesting Kaminski, Lorenz (Oct 01)
- RE: White box pentesting John Babio (Oct 02)
- RE: White box pentesting Menerick, John (Oct 02)
- RE: White box pentesting John Babio (Oct 02)