Re: Ethics (testing and mitigation)

[Parity <pty.err () gmail com>]

It depends on the order of operations.  Here's my policy:

If I first provide design review, implementation, and/or security
architecture guidance for a project, then I consider myself ineligible
to later perform any sort of penetration testing project against my
own work.  It's an obviously impossible position.  Either my pen-test
yields a bunch of stuff and I make myself and my original project
sponsor look bad, or it yields nothing and everyone scratches their
heads wondering if they can trust me.

On the other hand, if I determine during a pen-test that some large
remediation task is called for, and if I feel that I'm well-qualified
to perform the remediation work, I might propose to do it.  Of course,
if I end up doing said remediation work, then I disqualify myself from
future pen-testing of that project in keeping with the point made
above.

pty

> On Sat, Feb 28, 2009 at 6:04 PM, Tony <tony_l_turner () yahoo com> wrote:
> > Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> > mitigation services? If so, under what context? How to guard against the
> > tendency to try to sell a customer the solutions that profit you the
> > most instead of those that the customer needs the most? Should services
> > be sold as a single blanket package or priced in such a way as to
> > minimize this effect? How does this damage your credibility as an
> > impartial tester?
> >
> > You don't have to answer all of this, just looking for discussion along
> > these lines.
> > --
> > Tony L Turner CISSP/CISA/GSEC/ITIL
> > IT Security/Disaster Preparedness Consultant