Re: Ethics (testing and mitigation)

[Micheal Cottingham <techie.micheal () gmail com>]

Why wouldn't it be ethical? Isn't that half of what a pentest/VA/etc.
business does? Aren't they supposed to inform the customer on how to
potentially fix the problem? Granted, you wouldn't necessarily know
everything about their environment, codebase (especially if you just
blackboxed it), whatever, but if you firewalked their firewall, for
example, why wouldn't you point them to someone in your company who is
good with ACLs?

As for the rest of the questions, I think that's where the ethics come
in. Selling someone something just because you profit from it the most
is, in my opinion, unethical. I think services in this situation
should be sold in a such a way that they are more ala carte. That's
just my random thoughts. :)

Now I await the flood of ooo emails ...

On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner () yahoo com> wrote:
> Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> mitigation services? If so, under what context? How to guard against the
> tendency to try to sell a customer the solutions that profit you the
> most instead of those that the customer needs the most? Should services
> be sold as a single blanket package or priced in such a way as to
> minimize this effect? How does this damage your credibility as an
> impartial tester?
>
> You don't have to answer all of this, just looking for discussion along
> these lines.
> --
> Tony L Turner CISSP/CISA/GSEC/ITIL
> IT Security/Disaster Preparedness Consultant