Penetration Testing mailing list archives
RE: What is your policy on customers particapating in a pen test?
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Mon, 25 Jun 2001 12:17:30 +0200
You come to my company, you use 'proprietary technique' to root some box, and then what? You will not tell me how you did it, because
it is
'proprietary technique'?
On the matter of that, while I was doing penetration testing we always provided report to customer in which was stated exactly how specific hole can be exploited to get access or anything else. Of course, tools we use are our own and I don't think customer should get anything about them. But, they should know how security hole can be exploited and maybe into some details how we found it.
Well, I don't know about others, but all the clients we deal with are not the ones that accept "I can't tell you" as an answer, or "It's secret" as an argument. No, I'm not trying to sound
'important' or to
impress anyone, it's just reality with big companies (at least in my
experience, in
Asia-Pacific region).
I agree that "I can't tell you" is no acceptable answer for customer. But they don't need to know our techniques, they need to know result and possible problems and some paths that lead to that result. (IMHO :)
a) *understand* client's infrastructure/setup well b) find *all* security problems in time allocated - not just tell them something like "I rooted your DNS server, hehehe..." and stop there
Of course, after all we're presuming that we are not some kind of kiddie "hackers", but professionals whose goal is to make customer satisfied. Bojan Zdrnja
Current thread:
- RE: Blind IP spoofing portscan tool?, (continued)
- RE: Blind IP spoofing portscan tool? thomas olofsson (Jun 18)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Bojan Zdrnja (Jun 25)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- RE: Blind IP spoofing portscan tool? thomas olofsson (Jun 18)
- RE: What is your policy on customers participating in a pen test? Dom De Vitto (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Gary Warner (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 21)