nanog mailing list archives
Re: Penetration Test Assistance
From: Leo Bicknell <bicknell () ufp org>
Date: Tue, 5 Jun 2012 11:39:22 -0700
The bit of information that's missing here is what are you trying
to pentest, and by extension how much do you want to pay your pentest
firm?
For some folks a pentest means starting with zero information and
trying to get IP packets passed a firewall or IDS's undetected.
Basically pentesting layer 3 infrastructure.
For other folks a pentest is purely an application level exercise,
you give the pentester an account on your customer portal for
instance, a full network diagram, and let them try things like SQL
injection or cross site scripting at the applications layer.
Your pentest firm can start with zero information and work all the
way up to an application level attack, but that's costly and time
consuming. Providing them some information is a way to short circuit
the process.
If you (or appropriate company representative) haven't already
discussed the pros and cons with your pentest firm you're off on the
wrong foot.
--
Leo Bicknell - bicknell () ufp org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Attachment:
_bin
Description:
Current thread:
- Re: Penetration Test Assistance, (continued)
- Re: Penetration Test Assistance Quinn Kuzmich (Jun 05)
- RE: Penetration Test Assistance Baklarz, Ron (Jun 05)
- Re: Penetration Test Assistance dennis (Jun 05)
- Re: Penetration Test Assistance William Herrin (Jun 05)
- Re: Penetration Test Assistance Aled Morris (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Barry Greene (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Harry Hoffman (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Leo Bicknell (Jun 05)