Penetration Testing mailing list archives
Re: Limited vs full blown testing
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 24 Jun 2004 23:01:50 +0200
On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:
During my many years of pen testing one common thread when dealing with customers has been the request to not perform any destructive or DOS type testing.
Tell them that the purpose of the test is *to test* (i.e. to try something) and the only thing you can do to not break anything is to not try anything at all. Maybe they want an audit instead of a pen-test and they just don't know the terms and the meanings. If they are so scared, negotiate the exact time of potentially destructive/aggressive tests. Use Nessus with "safe checks" turned on for "polite" scans... You can also disable all "DoS" family plugins in Nessus. Martin Mačok IT Security Consultant
Current thread:
- Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
- IE caching issue jatkinson (Jun 27)
- Re: IE caching issue Daniel Staal (Jun 28)
- IE caching issue jatkinson (Jun 27)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)