Re: What is your policy on customers particapating in a pen test?

["GBH" <gbh () maitland demon co uk>]

> At last, someone with a common sense approach.
> There's nothing wrong with the customer being there,
> but if they want to watch closely, then they should
> *PAY* for the training!

I don't think anyone is advocating training clients for nothing but on the
other hand I'd be seriously worried as a client if I could learn how to do a
pen-test by looking over the testers shoulder for a few hours. As someone
said elsewhere, pen-testing isnt rocket science but it still should require
a fair bit of familarisation, training and all round IT skills before you
could hope to perform an effective pen-test.

> If they are asking for a realistic pen-test from the net,
> then why should they get any warning about when it's
> going to happen? They wouldn't normally get this from
> an anonymous hacker.

Can't disagree with this but strangely enough most companies get very very
twitchy when you'r looking to do a live unanounced pen-test on their
e-commerce site...


> If the customer watches you get onto a box, what's the
> betting that they will stay all night patching all the
> other similar boxes so you can't exploit them.

Great! Thats an excellent thing to do isn't it? Pen testing should never be
about "them" the client and "us" the pen tester. Suerly it should be about
the pen-tester looking for vulnerabilities and help the client closing them
as fast as is possible if thats what they want to do? This is especially so
if the vulnerability is a serious one.

As far as I am concerned the faster holes are closed the happier I am and if
it cuts down on the number of vulnerabilities I find then good stuff. You
would always remind any client that they must keep up with the latest
security fixes but the worst its going to do is to skew the number of the
holes you find in their systems.

> After the initial pen test has taken place and any
> follow-on rectification work has taken place, they might
> want a closer working relationship, but in forming this
> relationship, you will probably be excluding your company
> from the next anonymous test that they want.

This alludes (I think!) back to what I said in my first post about companies
wishing to protect future business by possibly not doing the "right" thing
which may jepordise that. I'm happy to admit I'm not a bean counter, I'm
there for my technical expertise and to help the client secure and maintain
the security of their sites. As such I will do all I can to best achieve
that while, of course, respecting my employers confidentiality (no giving
out proprietry tools, no revealing internal papers and so on) but I don't
believe this extends to trying to make my company more money by not giving
the client the information that best fits their needs. This just perpetuates
this whole air of secrecy that some security professionals like to encourage
in order to spread the FUD. It may be damn good for the bottom line, but
IMHO I think its somewhat immoral...

Gary