RE: Limited vs full blown testing

[Bénoni MARTIN <Benoni.MARTIN () libertis ga>]

Well, I will reply as an IT Architect: in my former company, I had to perform some vuln's testing in our networks, and 
what we did was:
-  I warned the management of what I was doing, telling them clearly that some test may crash the machines.
-  Told them as well that if the system admins did their job, no vuln will be found and the world will be better :)
-  So I perform all my checking, 4 old unpatched NT production servers crashed, the admins in charge of these machines 
were given a roasting and we discover (how strange! : ) ) that some machines were not always up-to-date...

So, I will accept full-blown testing as a manager, but before I will warn the admins of what we will be doing, to be 
able to restart the machines if any trouble occurs or to face any trouble which could occur.

HTH.


-----Message d'origine-----
De : Toby Barrick [mailto:TBLinux () covad net] 
Envoyé : mercredi 23 juin 2004 17:28
À : pen-test () securityfocus com
Objet : Limited vs full blown testing

All,

During my many years of pen testing one common thread when dealing with 
customers has been the request to not perform any destructive or DOS 
type testing. When I speak of DOS, I'm not talking about DDOS, I'm 
talking just a single machine and the tests that can be accomplished 
with that machine. IMHO abiding by that request is really short changing 
the customer and skewing the results. Additionally a lot of companies 
don't want their applications poked at either.

What has been the experience of the members on this list? Do you just 
gleefully accept the check and any limitations imposed on testing or do 
you push for a  "complete" suite of tests?

Thanks in advance!

T