Penetration Testing mailing list archives
Re: Ethics (testing and mitigation)
From: Micheal Cottingham <techie.micheal () gmail com>
Date: Tue, 3 Mar 2009 18:55:35 -0500
Why wouldn't it be ethical? Isn't that half of what a pentest/VA/etc. business does? Aren't they supposed to inform the customer on how to potentially fix the problem? Granted, you wouldn't necessarily know everything about their environment, codebase (especially if you just blackboxed it), whatever, but if you firewalked their firewall, for example, why wouldn't you point them to someone in your company who is good with ACLs? As for the rest of the questions, I think that's where the ethics come in. Selling someone something just because you profit from it the most is, in my opinion, unethical. I think services in this situation should be sold in a such a way that they are more ala carte. That's just my random thoughts. :) Now I await the flood of ooo emails ... On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner () yahoo com> wrote:
Is it ethical for a security testing (VA, Pen-test, etc) shop to provide mitigation services? If so, under what context? How to guard against the tendency to try to sell a customer the solutions that profit you the most instead of those that the customer needs the most? Should services be sold as a single blanket package or priced in such a way as to minimize this effect? How does this damage your credibility as an impartial tester? You don't have to answer all of this, just looking for discussion along these lines. -- Tony L Turner CISSP/CISA/GSEC/ITIL IT Security/Disaster Preparedness Consultant
Current thread:
- Ethics (testing and mitigation) Tony (Mar 03)
- Re: Ethics (testing and mitigation) Micheal Cottingham (Mar 03)
- Re: Ethics (testing and mitigation) Dotzero (Mar 04)
- Message not available
- Re: Ethics (testing and mitigation) Parity (Mar 04)
- Re: Ethics (testing and mitigation) Justin Ferguson (Mar 04)