Penetration Testing mailing list archives
Re: Ethics (testing and mitigation)
From: Parity <pty.err () gmail com>
Date: Wed, 4 Mar 2009 16:43:49 -0800
It depends on the order of operations. Here's my policy: If I first provide design review, implementation, and/or security architecture guidance for a project, then I consider myself ineligible to later perform any sort of penetration testing project against my own work. It's an obviously impossible position. Either my pen-test yields a bunch of stuff and I make myself and my original project sponsor look bad, or it yields nothing and everyone scratches their heads wondering if they can trust me. On the other hand, if I determine during a pen-test that some large remediation task is called for, and if I feel that I'm well-qualified to perform the remediation work, I might propose to do it. Of course, if I end up doing said remediation work, then I disqualify myself from future pen-testing of that project in keeping with the point made above. pty
On Sat, Feb 28, 2009 at 6:04 PM, Tony <tony_l_turner () yahoo com> wrote:Is it ethical for a security testing (VA, Pen-test, etc) shop to provide mitigation services? If so, under what context? How to guard against the tendency to try to sell a customer the solutions that profit you the most instead of those that the customer needs the most? Should services be sold as a single blanket package or priced in such a way as to minimize this effect? How does this damage your credibility as an impartial tester? You don't have to answer all of this, just looking for discussion along these lines. -- Tony L Turner CISSP/CISA/GSEC/ITIL IT Security/Disaster Preparedness Consultant
Current thread:
- Ethics (testing and mitigation) Tony (Mar 03)
- Re: Ethics (testing and mitigation) Micheal Cottingham (Mar 03)
- Re: Ethics (testing and mitigation) Dotzero (Mar 04)
- Message not available
- Re: Ethics (testing and mitigation) Parity (Mar 04)
- Re: Ethics (testing and mitigation) Justin Ferguson (Mar 04)