Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration Testing Scheduling

From: Joey Peloquin <joeyp () cotse net>
Date: Wed, 30 Apr 2008 08:13:21 -0500
Yousif () Vapt-Sec com wrote:

I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's 
clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker. I'm getting worthless comments from people telling me 
that I should always have permission before security testing, but keep in mind that everyone knows that, commentary like that is just useless. Now, to focus on the question, let's say 
both parties agree to fulfill the security testing, and the contracts have been signed, and the setup in general has been completed. To go on with your testing, do you let them know exactly 
a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to 
have a choice, but I'm looking more for the "right" thing to do..
We settle on the start date before the contract is signed, unless the client has a specific requirement that they shouldn't know when we begin (they almost never do). If we don't have a specific window for testing (e.g., 6p-6a), we start whenever we're ready on the agreed upon date, else, we generally kick it off at the beginning of the window.
I used to be on the receiving end of PT services, and it was the same when I was the client. We'd negotiate an approximate start date, and the start time would fall somewhere within the "maintenance" window for testing. 

-jp

--
"Companies will say, "We can Web 2.0ify your existing applications in 15 minutes - we've got a wrapper". These people are charlatans, and you should punch them in the face. They are taking your back-end database tiers and moving them to the perimeter." - Billy Hoffman, HPSW Security Labs 

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: