Penetration Testing mailing list archives
Re: Ethics (testing and mitigation)
From: Dotzero <dotzero () gmail com>
Date: Wed, 4 Mar 2009 08:43:18 -0500
On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner () yahoo com> wrote:
Is it ethical for a security testing (VA, Pen-test, etc) shop to provide mitigation services? If so, under what context? How to guard against the tendency to try to sell a customer the solutions that profit you the most instead of those that the customer needs the most? Should services be sold as a single blanket package or priced in such a way as to minimize this effect? How does this damage your credibility as an impartial tester? You don't have to answer all of this, just looking for discussion along these lines. -- Tony L Turner CISSP/CISA/GSEC/ITIL IT Security/Disaster Preparedness Consultant
Tony, I don't necessarily think it is unethical. I think it can easily become problematic. For that reason I generally won't contract other services from vendors we use for VA or pentesting. I'd also point out that pentesting is a distinctly different set of skillsets from implementing security and controls. The fact that an organization is good at pentesting does not mean that organization is a good choice for implementing an IDS or configuring a firewall (doesn't mean they aren't, just that they don't go hand in hand).
Current thread:
- Ethics (testing and mitigation) Tony (Mar 03)
- Re: Ethics (testing and mitigation) Micheal Cottingham (Mar 03)
- Re: Ethics (testing and mitigation) Dotzero (Mar 04)
- Message not available
- Re: Ethics (testing and mitigation) Parity (Mar 04)
- Re: Ethics (testing and mitigation) Justin Ferguson (Mar 04)