Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[PEN-TEST] FW: Penetration Testing Ethic

From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 13 Sep 2000 15:51:54 -0500
In the past, I know of many situations such as this one,
but It all comes back to letting the pen-tester know that
they are not the only one that is going to be used.  This
will usually make the pen-tester perform a complete fix-up
if it's requested.  Whenever I come back to a client site
after a 6 month or year has lapsed, I will often find new
holes anyway... Things have been discovered that weren't
known about a year ago... Things may not have been
upgraded... and some new things may have been installed
which opens up some vulnerability.  Trust me, an honest
pen-tester usually has no problem finding a new hole after
one year, and if they are asked why you didn't catch the
problem last year, you will truly have a good answer.

In reality, if someone comes in today, performs a pen-test
and "fixes" my network, and comes back next year, saying
they found that I was running bind-8.1.1 on my nameserver,
and nothing's been done to my nameserver since the last
pen-test... I, personally, will ask why the hell the tester
did not find that last year!

In general, letting the tester know "he/she is not the only
one" will get their attention.  Also, the tester should let
at least one technical person supervise them if they are
performing the tests on-site.  If the tester is
uncomfortable with this, there could be something wrong.

Lust my $0.04 (and some info from past experiences)

--Noah Dunker

-----Original Message-----
From: Mathew Bevan [mailto:listhandler () NTLWORLD COM]
Sent: Wednesday, September 13, 2000 11:53 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Penetration Testing Ethic


This follows on from the pen testing cost thread, Alexander Sarris raised
the point about being sold repairs multiple times..

I have always had a problem with companies that not only perform the
security audit and make recommendations but perform the fixes as well... Is
it not in their interest to leave a few holes here and there so that their
report doesnt look so bare when they come back for repeat testing..

Obviously this is and ethical issue and something I feel shouldnt happen,
this operating on both sides of the fence situation..

What does everyone else feel about this?

Mathew Bevan aka Kuji (RL 1994)
Previous By Date Next
Previous By Thread Next

Current thread: