RE: Pen testing a off-site web server

["Mike Forrester" <mikef () pocketlint com>]

Another thing that might need to be discussed during the approval process is
the disclosure of the results of the test to the web-hosting company.
Someone is paying you to audit their services, but does the hosting company
get this information for free?  I did an audit of a web-based content
delivery service that one of our departments wanted to use.  They sent us an
eval server and I broke into it fairly easy (RDS bug :) ).  I wrote a
detailed document for internal use stating all the security problems with
their server.  One of the managers of the project just emailed the entire
doc to the company that provided the eval server.  Basically, they got a
nice detailed security audit for free.  The problem is how do you have them
fix all the bugs or justify to management that the security of the product
or service sucks without providing free security consulting to all of your
vendors?  You are providing security awareness and potential increasing the
company's security, but should you be doing it for free?  We haven't really
come up with a solution to the dilemma.  How have others addressed this?

Mike