Re: Disabling IPS for PENTEST

[Reginald%20Wheeler <wheeler90 () comcast net>]

I would call what they are attempting to do an audit. This is not a pen-test of any sort. Now if they were going to 
pen-test leave the IPS up. There are ways to get around an IPS with out having someone add your IP to an exclusion 
list.  If I were you I would suggest to the powers that be to find a different company. Try a company like ISS, 
Offensive Security, Rapid 7, Digital Defense. Out side of that these are the questions that should have been asked. 

How long has your company been in business?
How many pentests has your company performed?
What is your company’s pentesting process?
Does your testing team have certifications?
Which pentesting tools does your company use?
What safeguards are in place to ensure that critical systems are not affected during the pentest?
In the event that a secondary or remediation scan is needed, will there be an additional fee?

Hope this helps.




Thank You, 
Reginald Wheeler A+ Networking+ MCSE 2003 



----- Original Message -----
From: "Kid Tangerine" <kidtangerine () gmail com>
To: security-basics () securityfocus com
Sent: Monday, August 6, 2012 9:57:24 AM
Subject: Disabling IPS for PENTEST

All,

Corporate has requested we get a PENTEST for our Internet facing
website from a third party, but the third party asked us to allow
their ip address to be excluded from our IPS.

Is that a common practice to basically turn off our protection and
allow them in?

Obviously we aren't developers, so If the code has sql injections,
cross site scripting, etc vulnerabilities we cannot fix it within the
corporate guidelines, and our only leverage from the IT infrastructure
side is to include the needed filters in the IPS to prevent their
crappy code from being exploited. It we turn off the IPS I am sure all
kinds of things will show up.

Any experience appreciated.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------