Re: Ethics (testing and mitigation)

[Justin Ferguson <jnferguson () gmail com>]

> Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> mitigation services? If so, under what context?

I don't entirely follow the question, or rather, obviously you tell
people how to patch the bugs you find so I'm guessing I'm
misunderstanding the question.

> How to guard against the
> tendency to try to sell a customer the solutions that profit you the
> most instead of those that the customer needs the most?

In truth, I haven't seen an incredible amount of this in-industry,
more often than not, sales have to cut things to get the price down
for the client; I don't know what you guys, but I've seen my sow's at
various places and I don't exactly come cheap, so people doing things
to inflate price is usually less of a factor. The two things that at
least in my experience are most common and closest are:

(a) Trying to convince the customer that what they want and need are
not the same thing (i.e. blackbox testing [i do more software related
consulting], it makes no sense for a client to pay for this. It's not
a cost/time effective manner to conduct a test, it ends up being more
of a  test for the tester, it potentially misses issues like:
       retval = some_network_read(fd, buf, MAX_PKT_SZ);

       if (ERR = retval) { [...] }

       if (retval >= MAGIC_PKT_SZ) {
             if (! strcmp(buf, ELMAGICO))
                   system(buf+ELMAGICO_OFF);
       [...]

Something like that, is incredibly easily missed, especially if it
also involves other factors such as lack of
binary/anti-reversing/whatever. Point being, quite often customers
want blackbox testing for a  variety of reasons (usually to replicate
a 'realistic scenario', which is foolish-- but thats another subject).
So, more commonly what a customer wants, $security they want via
method $x, but for whatever reason, $x is not going to/the
best/whatever way to get them to/closer to/whatever $security, thus
common things like 'if theyre paying and its what they want [...]', do
you see a matter of ethics there?

(b) Trying to fit everything a willing client needs into a price range
they can accommodate I can think of a client that did a large number
of modifications to their base os/libaries/etc and more or less
integrated their product with everything in a manner that for many
pieces required reading at least large sections of OSS/FS, this kinda
sucked for them as they would basically be paying for someone elses
code, and the sheer volume of it made it cost prohibitive This was a
pretty important thing (significant corporate usage) honestly, but the
company involved simply couldnt come anything close to paying what was
necessary for that large of a code audit. Thus it was both important
to the 'ethics of the better good for the community' because of their
usage/adoption rate, some off choices in software usage, and more or
needing  absurdly discounted/pro bono work; do you see a matter of
ethics there?

> Should services
> be sold as a single blanket package or priced in such a way as to
> minimize this effect? How does this damage your credibility as an
> impartial tester?

You sell them whats the best option for them and is sane enough to
actually do that is fair to both parties. If you believe that selling
a professional service damages credibility, I have to wonder what you
think of people in other professions? doctors? lawyers?  ...mechanics?
et cetera.

That said, this industry, like most business has relatively little to
do with ethics (thats why you take a  'business ethics' class instead
of an 'ethics' class). Consider this, the prevalent opinion and
desired ability in this profession is that if theres something youve
never done before/dont know/are not qualified for, you probably
shouldn't be learning it on-site; not at the prices people are paying.
That's not to say so much expecting employees to learn new
areas/expand/whatever, just more so that people should not be learning
on-site when the clients paid for a person who is a professional $x.
This is also, not uncommon, however biased the question was, do you
see a matter of ethics there?

Finally, to avoid confusion, I want to specifically bring attention to
the point that none of this is a reflection on my current employer, in
truth, I couldn't say anything negative about them as they've been
more than fair/honest/et cetera, this is more a reflection on various
places I've worked in the past. I want people to be mindful that I am
specifically not saying whom I work for currently as this isn't an
advert, its an honest disclaimer for anything that knows/can
do/whatever the name<->company translation.