Penetration Testing mailing list archives
RE: Limited vs full blown testing
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 24 Jun 2004 06:46:38 -0400
I just got one of them yesterday. At this point, I'm dealing with the sales rep but basically I ask them, "If you have something that breaks, wouldn't it be good to find it?" Then I back off a bit and tell them that I can ratchet things back a bit not blast their network too hard. I'll often offer to do the "heavy stuff" at some scheduled time. Sometimes they have a particular legacy system that is critical to production and they know it's "touchy" and they just want to keep it running till they replace it. Basically, I'll do what they want but I try to explain to them what they're asking for and, I try to talk them out of it but if push comes to shove, I'll do what they want but those stipulations get added to the final document. Here's what I just sent that sales rep a few hours ago: "There is always the possibility that in doing an audit, something will do down. We're pretty careful to avoid that but sometimes it happens. One of the specific things that we sometimes test is DOS (Denial of Service) - in those cases, we actually try to bring things down so that vulnerable hardware and software can be detected and fixed. For an audit of a bank or something with critical infrastructure or services using the internet, we would generally try to see how vulnerable they are to a DOS attack. ...but, we can intentionally avoid them also." -----Original Message----- From: Toby Barrick [mailto:TBLinux () covad net] Sent: Wednesday, June 23, 2004 12:28 PM To: pen-test () securityfocus com Subject: Limited vs full blown testing All, During my many years of pen testing one common thread when dealing with customers has been the request to not perform any destructive or DOS type testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just a single machine and the tests that can be accomplished with that machine. IMHO abiding by that request is really short changing the customer and skewing the results. Additionally a lot of companies don't want their applications poked at either. What has been the experience of the members on this list? Do you just gleefully accept the check and any limitations imposed on testing or do you push for a "complete" suite of tests? Thanks in advance! T
Current thread:
- Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)