Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Penetration Testing Ethic

From: Bennett Todd <bet () RAHUL NET>
Date: Wed, 13 Sep 2000 16:44:20 -0400
2000-09-13-12:52:51 Mathew Bevan:

I have always had a problem with companies that not only perform
the security audit and make recommendations but perform the fixes
as well... Is it not in their interest to leave a few holes here
and there so that their report doesnt look so bare when they come
back for repeat testing..


Nope. If one organization is both testing and fixing, then they'll
have to document why the problem occurred; it'll have to be either
something they didn't know about before, or a result of some change
made by the customer.

If they didn't know about it before, they'll need to be documenting
(typically with the URL of the bugtraq announcement) how they came
to learn about it since the last scan --- if there's a continuing
pattern of stuff that they didn't find in previous scans, that were
old news when those scans were made, then they aren't doing their
job.

-Bennett

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: