Penetration Testing mailing list archives

RE: Limited vs full blown testing

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 24 Jun 2004 06:46:38 -0400

I just got one of them yesterday.  At this point, I'm dealing with the
sales rep but basically I ask them, "If you have something that breaks,
wouldn't it be good to find it?"  Then I back off a bit and tell them
that I can ratchet things back a bit not blast their network too hard.
I'll often offer to do the "heavy stuff" at some scheduled time.
Sometimes they have a particular legacy system that is critical to
production and they know it's "touchy" and they just want to keep it
running till they replace it.  Basically, I'll do what they want but I
try to explain to them what they're asking for and, I try to talk them
out of it but if push comes to shove, I'll do what they want but those
stipulations get added to the final document.

Here's what I just sent that sales rep a few hours ago:

"There is always the possibility that in doing an audit, something will
do down.  We're pretty careful to avoid that but sometimes it happens.
One of the specific things that we sometimes test is DOS (Denial of
Service) - in those cases, we actually try to bring things down so that
vulnerable hardware and software can be detected and fixed.  For an
audit of a bank or something with critical infrastructure or services
using the internet, we would generally try to see how vulnerable they
are to a DOS attack. ...but, we can intentionally avoid them also."

-----Original Message-----
From: Toby Barrick [mailto:TBLinux () covad net] 
Sent: Wednesday, June 23, 2004 12:28 PM
To: pen-test () securityfocus com
Subject: Limited vs full blown testing


All,

During my many years of pen testing one common thread when dealing with 
customers has been the request to not perform any destructive or DOS 
type testing. When I speak of DOS, I'm not talking about DDOS, I'm 
talking just a single machine and the tests that can be accomplished 
with that machine. IMHO abiding by that request is really short changing

the customer and skewing the results. Additionally a lot of companies 
don't want their applications poked at either.

What has been the experience of the members on this list? Do you just 
gleefully accept the check and any limitations imposed on testing or do 
you push for a  "complete" suite of tests?

Thanks in advance!

T

Current thread:

Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
  - Re: Limited vs full blown testing R. DuFresne (Jun 24)
    - RE: Limited vs full blown testing Jerry Shenk (Jun 27)
    - RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
  - RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)

(Thread continues...)