Re: Ethics (testing and mitigation)

[Dotzero <dotzero () gmail com>]

On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner () yahoo com> wrote:
> Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> mitigation services? If so, under what context? How to guard against the
> tendency to try to sell a customer the solutions that profit you the
> most instead of those that the customer needs the most? Should services
> be sold as a single blanket package or priced in such a way as to
> minimize this effect? How does this damage your credibility as an
> impartial tester?
>
> You don't have to answer all of this, just looking for discussion along
> these lines.
> --
> Tony L Turner CISSP/CISA/GSEC/ITIL
> IT Security/Disaster Preparedness Consultant

Tony,

I don't necessarily think it is unethical. I think it can easily
become problematic.

For that reason I generally won't contract other services from vendors
we use for VA or pentesting. I'd also point out that pentesting is a
distinctly different set of skillsets from implementing security and
controls. The fact that an organization is good at pentesting does not
mean that organization is a good choice for implementing an IDS or
configuring a firewall (doesn't mean they aren't, just that they don't
go hand in hand).