Penetration Testing mailing list archives
Re: Penetration Testing Scheduling
From: Todd Haverkos <fsbo () haverkos com>
Date: Wed, 30 Apr 2008 08:32:37 -0500
Yousif () Vapt-Sec com writes:
I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker.
on with your testing, do you let them know exactly a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to have a choice, but I'm looking more for the "right" thing to do..
The right thing to do is to tell your primary point of contact who signed your contract and who will get you paid a "no earlier than" test begin date and a "no later than" test end date (be it a week, 2 weeks, what have you). I'd also include the IP's from which you'll be attacking. Now, whether that individual decides to inform their people in the trenches is then up to them. It also leaves you flexibility about when you fire away in that window, and also some legal protections in the event someone else hacks them during that window you can have some leverage of saying "well, it wasn't us unless the attacks came from the IP's I gave ya." The interesting question is whether your point of contact chooses to disseminate the test information down to the network operation and security analyst folks. That is up to them to depending on whether their goal for the penetration test is to just test the security posture (in terms of perimeter security, patching, web app security, configuration, etc), or if they also test internal response procedures and see whether a good quality "incident" firedrill happens (or not). Hopefully the client won't try to waste their own money on a pentest by adding additional firewall rules for the test window. If they do, it's their own problem. Your report might not have as much to say as it would otherwise, but you'd be reporting what you saw at that time. A right thinking client who's seeking a pentest would be ill served if they were to undermine their own efforts at learning their risk level by tightening things down just for a test. But if they do, that's their organizational problem, not yours. Good luck! -- Todd Haverkos - todd () haverkos com http://www.linkedin.com/in/toddhaverkos ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
- Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
- Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
- Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)