Penetration Testing mailing list archives
Re: Ethics (testing and mitigation)
From: Justin Ferguson <jnferguson () gmail com>
Date: Wed, 4 Mar 2009 18:19:05 -0800
Is it ethical for a security testing (VA, Pen-test, etc) shop to provide mitigation services? If so, under what context?
I don't entirely follow the question, or rather, obviously you tell people how to patch the bugs you find so I'm guessing I'm misunderstanding the question.
How to guard against the tendency to try to sell a customer the solutions that profit you the most instead of those that the customer needs the most?
In truth, I haven't seen an incredible amount of this in-industry, more often than not, sales have to cut things to get the price down for the client; I don't know what you guys, but I've seen my sow's at various places and I don't exactly come cheap, so people doing things to inflate price is usually less of a factor. The two things that at least in my experience are most common and closest are: (a) Trying to convince the customer that what they want and need are not the same thing (i.e. blackbox testing [i do more software related consulting], it makes no sense for a client to pay for this. It's not a cost/time effective manner to conduct a test, it ends up being more of a test for the tester, it potentially misses issues like: retval = some_network_read(fd, buf, MAX_PKT_SZ); if (ERR = retval) { [...] } if (retval >= MAGIC_PKT_SZ) { if (! strcmp(buf, ELMAGICO)) system(buf+ELMAGICO_OFF); [...] Something like that, is incredibly easily missed, especially if it also involves other factors such as lack of binary/anti-reversing/whatever. Point being, quite often customers want blackbox testing for a variety of reasons (usually to replicate a 'realistic scenario', which is foolish-- but thats another subject). So, more commonly what a customer wants, $security they want via method $x, but for whatever reason, $x is not going to/the best/whatever way to get them to/closer to/whatever $security, thus common things like 'if theyre paying and its what they want [...]', do you see a matter of ethics there? (b) Trying to fit everything a willing client needs into a price range they can accommodate I can think of a client that did a large number of modifications to their base os/libaries/etc and more or less integrated their product with everything in a manner that for many pieces required reading at least large sections of OSS/FS, this kinda sucked for them as they would basically be paying for someone elses code, and the sheer volume of it made it cost prohibitive This was a pretty important thing (significant corporate usage) honestly, but the company involved simply couldnt come anything close to paying what was necessary for that large of a code audit. Thus it was both important to the 'ethics of the better good for the community' because of their usage/adoption rate, some off choices in software usage, and more or needing absurdly discounted/pro bono work; do you see a matter of ethics there?
Should services be sold as a single blanket package or priced in such a way as to minimize this effect? How does this damage your credibility as an impartial tester?
You sell them whats the best option for them and is sane enough to actually do that is fair to both parties. If you believe that selling a professional service damages credibility, I have to wonder what you think of people in other professions? doctors? lawyers? ...mechanics? et cetera. That said, this industry, like most business has relatively little to do with ethics (thats why you take a 'business ethics' class instead of an 'ethics' class). Consider this, the prevalent opinion and desired ability in this profession is that if theres something youve never done before/dont know/are not qualified for, you probably shouldn't be learning it on-site; not at the prices people are paying. That's not to say so much expecting employees to learn new areas/expand/whatever, just more so that people should not be learning on-site when the clients paid for a person who is a professional $x. This is also, not uncommon, however biased the question was, do you see a matter of ethics there? Finally, to avoid confusion, I want to specifically bring attention to the point that none of this is a reflection on my current employer, in truth, I couldn't say anything negative about them as they've been more than fair/honest/et cetera, this is more a reflection on various places I've worked in the past. I want people to be mindful that I am specifically not saying whom I work for currently as this isn't an advert, its an honest disclaimer for anything that knows/can do/whatever the name<->company translation.
Current thread:
- Ethics (testing and mitigation) Tony (Mar 03)
- Re: Ethics (testing and mitigation) Micheal Cottingham (Mar 03)
- Re: Ethics (testing and mitigation) Dotzero (Mar 04)
- Message not available
- Re: Ethics (testing and mitigation) Parity (Mar 04)
- Re: Ethics (testing and mitigation) Justin Ferguson (Mar 04)