Penetration Testing mailing list archives
Re: [PEN-TEST] Penetration Testing Ethic
From: H Carvey <keydet89 () YAHOO COM>
Date: Thu, 14 Sep 2000 10:50:29 -0000
I have always had a problem with companies that
not only perform the
security audit and make recommendations but
perform the fixes as well... Is
it not in their interest to leave a few holes
here and there so that their
report doesnt look so bare when they come back
for repeat testing..
Regardless of ethics and business decisions, this just doesn't make sense to me. After all, a consulting company is called in to do a penetration test (or for the sake of this discussion, it could also be a vulnerability assessment), finds holes, etc. They then write up a report (which one sincerely hopes is NOT simply accepted w/o review) that should contain not only a listing of the vulnerabilities found, but a prioritized workflow of how for dealing with the discoveries. At this point, the owning company should review the final report, and address the issues based upon their business needs, staffing and resources available, etc. Most importantly, the owning company should be the ones to apply the fixes! Why? B/c they live with the infrastructure...who better to fix it? Carv
Current thread:
- Re: [PEN-TEST] Penetration Testing Ethic J. Oquendo (Sep 14)
- Re: [PEN-TEST] Penetration Testing Ethic Bill Pennington (Sep 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Penetration Testing Ethic H Carvey (Sep 14)