Re: [PEN-TEST] Penetration Testing Ethic

[H Carvey <keydet89 () YAHOO COM>]

> I have always had a problem with companies that 
not only perform the
> security audit and make recommendations but 
perform the fixes as well... Is
> it not in their interest to leave a few holes 
here and there so that their
> report doesnt look so bare when they come back 
for repeat testing..
>

Regardless of ethics and business decisions, this 
just doesn't make sense to me.  After all, a 
consulting company is called in to do a 
penetration test (or for the sake of this 
discussion, it could also be a vulnerability 
assessment), finds holes, etc.  They then write up 
a report (which one sincerely hopes is NOT simply 
accepted w/o review) that should contain not only 
a listing of the vulnerabilities found, but a 
prioritized workflow of how for dealing with the 
discoveries.  

At this point, the owning company should review 
the final report, and address the issues based 
upon their business needs, staffing and resources 
available, etc.  Most importantly, the owning 
company should be the ones to apply the fixes!  
Why?  B/c they live with the infrastructure...who 
better to fix it?  

Carv