Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration Testing Scheduling

From: Todd Haverkos <fsbo () haverkos com>
Date: Wed, 30 Apr 2008 08:32:37 -0500
Yousif () Vapt-Sec com writes:


I appreciate everyones commentary on what I've questioned, but I
don't think anyones providing a definite answer. If it's up the
client, then that's done with, it's clearly going to be what they
want, not a problem. What if they don't take you up on that and you
are the decision maker.



on with your testing, do you let them know exactly a date/time O R
do you simply let them know it's a week from now.. I'm clarifying
this because it seems like a lot of people are giving options, and
that's always good to have a choice, but I'm looking more for the
"right" thing to do.. 


The right thing to do is to tell your primary point of contact who
signed your contract and who will get you paid a "no earlier than"
test begin date and a "no later than" test end date (be it a week, 2
weeks, what have you).  I'd also include the IP's from which you'll be
attacking.

Now, whether that individual decides to inform their people in the
trenches is then up to them.  It also leaves you flexibility about
when you fire away in that window, and also some legal protections in
the event someone else hacks them during that window you can have some
leverage of saying "well, it wasn't us unless the attacks came from
the IP's I gave ya."

The interesting question is whether your point of contact chooses to
disseminate the test information down to the network operation and
security analyst folks.  That is up to them to depending on whether
their goal for the penetration test is to just test the security
posture (in terms of perimeter security, patching, web app security,
configuration, etc), or if they also test internal response procedures
and see whether a good quality "incident" firedrill happens (or not).

Hopefully the client won't try to waste their own money on a pentest
by adding additional firewall rules for the test window.  If they do,
it's their own problem.  Your report might not have as much to say as
it would otherwise, but you'd be reporting what you saw at that time.
A right thinking client who's seeking a pentest would be ill served if
they were to undermine their own efforts at learning their risk level
by tightening things down just for a test.    But if they do,  that's
their organizational problem, not yours. 

Good luck! 

--
Todd Haverkos  -  todd () haverkos com
http://www.linkedin.com/in/toddhaverkos

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: