Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Disclosure policy when performing pentest

From: Anders Thulin <Anders.X.Thulin () TELIA SE>
Date: Fri, 24 Nov 2000 08:50:01 +0100
"Masse, Robert" wrote:


I personally prefer to wait until the end since when I am usually performing
a pentest, the company is so full of vulnerabilities we will never finish if
I would disclose on every major vulnerability.


  It makes a certain sense to decide beforehand if there are any highly
sensitive systems or networks involved in the test, and report important
vulnerabilities found in them as quickly as possible.

  Sooner or later the lag between discovery and report will result in
a vulnerability being exploited before a report is made. If the likely damage
is high -- say, several times the cost of the pen test -- that time must be
kept short.

  The client is (or should be) in the best position to decide which systems or
networks are sensitive enough; the pen-tester in the best position to decide
how serious the vulnerability is, with regard to the exposure the particular
system actually has.

  The professional pen-tester needs to assess both the risk to his
client's business *as*well*as* the risk to his own. Of course, it's
never a question of blindly following a rule, as it never can be when
... well, call it expertise ... is involved.

  Well, IMO, anyway.
--
Anders Thulin     Anders.X.Thulin () telia se     040-10 50 63
Telia Prosoft AB,   Box 85,   S-201 20 Malmö,   Sweden
Previous By Date Next
Previous By Thread Next

Current thread: