RE: What is your policy on customers particapating in a pen test?

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

> You come to my company, you use 'proprietary technique' to
> root some box, and then what? You will not tell me how you did it, because
it is
> 'proprietary technique'?

On the matter of that, while I was doing penetration testing we always
provided report to customer in which was stated exactly how specific hole
can be exploited to get access or anything else.
Of course, tools we use are our own and I don't think customer should get
anything about them. But, they should know how security hole can be
exploited and maybe into some details how we found it.

> Well, I don't know about others, but all the clients we deal
> with are not the ones that accept "I can't tell you" as an
> answer, or "It's secret" as an argument. No, I'm not trying to sound
'important' or to
> impress anyone, it's just reality with big companies (at least in my
experience, in
> Asia-Pacific region).

I agree that "I can't tell you" is no acceptable answer for customer. But
they don't need to know our techniques, they need to know result and
possible problems and some paths that lead to that result. (IMHO :)

> a) *understand* client's infrastructure/setup well
> b) find *all* security problems in time allocated - not just
> tell them something like "I rooted your DNS server,
> hehehe..." and stop there

Of course, after all we're presuming that we are not some kind of kiddie
"hackers", but professionals whose goal is to make customer satisfied.

Bojan Zdrnja