RE: What is your policy on customers particapating in a pen test?

["Duquette, John" <john.duquette () eds com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've noticed an increase in clients wanting to observe a pentest.  We
don't prohibit this, naturally its not much fun to work with someone
staring over your shoulder, but we always accommodate these requests.
 The downside can be when a client interferes with the engagement.  I
used to work for one of the big 5 and we had a client in "observing",
fine.  The bad thing was he was watching what we were preparing to do
and calling to his company so they could be extra prepared which
naturally hurt the engagement.

Education is always the desired result of an assessment but you want
rules on what can/can't happen.  However, I would never allow a
client to actually participate in the engagement, or turn over any
applications/source for anything that we use.

John Duquette
Manager, EDS Information Assurance Services
john.duquette () eds com
703.736.8593
PGP Fingerprint: 5377 4A05 6F9B B8D1 CD16  88EC DC1F BF47 51B6 380B

> -----Original Message-----
> From: Joe Klein [mailto:jsklein () mindspring com]
> Sent: Tuesday, June 19, 2001 02:00 AM
> To: pen-test () securityfocus com
> Subject: What is your policy on customers particapating in a pen
> test?  
>
>
> All:
>
> I am hearing customers request ( and some times demand ) that 
> they be part of a
> pen test.
>
> Currently, we offer the customer 4 - 8 hours of time to 
> review findings and show
> them what we did, to access there systems. But we do this 
> after the pen test is
> complete.
>
> I was wondering how other companies deal with this issue?
>
> J

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOzDdQdwfv0dRtjgLEQLbQgCg6/0qKal6n8/9dzzVA5OQZhK8Q5UAnR5P
jbFnsRgDUCn9DxwUyr1PrYRV
=By2O
-----END PGP SIGNATURE-----