RE: What is your policy on customers particapating in a pen test?

[Steve Hutchins <Steve.Hutchins () optimation co nz>]

> Can't disagree with this but strangely enough most companies get very very
> twitchy when you'r looking to do a live unanounced pen-test on their
> e-commerce site...
How do you quantify most? Are you talking about most businesses or just
the one's you come into contact with?

Obviously there's not going to be any completely right answer to this.
It pretty much comes down to what the customer wants in the first place.
Common sense (and so should the agreement between parties) states that
if a serious hole is found, then the customer should be informed asap.
With the rest, it's debatable until the cows come home. If you view
a pen test as an audit, it's intent is to produce a current status.
If you have the customer fixing in parallel with the test, this is like
trying to hit a moving target and will cause the test to take longer
then planned (and possibly run out of the customers budget - although
it never should), because you end up rerunning tests to validate your
previous findings (instead or rerunning the test after the rectification
work has been completed).
When performing a test with a team, this complicates the test.

On this point, I'd be interested in hearing other peoples methodology
on team coordination and communication whilst doing a pen test.