nanog mailing list archives
Re: Penetration Test Assistance
From: Leo Bicknell <bicknell () ufp org>
Date: Tue, 5 Jun 2012 11:39:22 -0700
The bit of information that's missing here is what are you trying to pentest, and by extension how much do you want to pay your pentest firm? For some folks a pentest means starting with zero information and trying to get IP packets passed a firewall or IDS's undetected. Basically pentesting layer 3 infrastructure. For other folks a pentest is purely an application level exercise, you give the pentester an account on your customer portal for instance, a full network diagram, and let them try things like SQL injection or cross site scripting at the applications layer. Your pentest firm can start with zero information and work all the way up to an application level attack, but that's costly and time consuming. Providing them some information is a way to short circuit the process. If you (or appropriate company representative) haven't already discussed the pros and cons with your pentest firm you're off on the wrong foot. -- Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Attachment:
_bin
Description:
Current thread:
- Re: Penetration Test Assistance, (continued)
- Re: Penetration Test Assistance Quinn Kuzmich (Jun 05)
- RE: Penetration Test Assistance Baklarz, Ron (Jun 05)
- Re: Penetration Test Assistance dennis (Jun 05)
- Re: Penetration Test Assistance William Herrin (Jun 05)
- Re: Penetration Test Assistance Aled Morris (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Barry Greene (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Harry Hoffman (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Leo Bicknell (Jun 05)