mailing list archives
Re: [PEN-TEST] Testing a "rogue site"
From: Karyn Pichnarczyk <karyn () SANDSTORM NET>
Date: Mon, 11 Sep 2000 12:47:26 -0400
"Alexander Sarras (SEA)" wrote:
(previous message deleted to save bandwidth)
Basically I concur, but if you want to stick: Get your company's written
approval of your responibilities. If this rogue site is inside your
responibility tell them (in writing) it's either your authority as well or
no responsibility. If it's the later, firewall them off your site! As long
as it's not your job (and that's what having the authority means), don't do
any more scanning or the like, it might be constructed as something
A couple of rules to go by:
1) SECURITY has the last say! EVER!
2) if SECURITY say's no, it stays that way. Otherwise quit.
If possible get that in writing.
I totally disagree with the two rules stated above. yes, You need your
company's written approval of your responsibilities. But unless you go by
the One and Only rule, you will not last long in the security trade:
1. Business Must Continue.
If this rule is not followed, then it doesn't matter how good or bad
the security posture is: the company just won't exist!
Therefore, the Business Demands of the company must be met, AT ALL COSTS
including, regretfully and occasionally, the cost of bad security. I am
not saying that security must be bad by any stretch of the imagination.
I'm just saying that there are times that, due to Business Reasons, the
security professional must make provisions within the security archetecture
to wince with pain, inform superiors that the security is awful, and
propose a plan to upgrade to the better security posture.
Just be sure to CYA and make sure that the superiors who have made the
decision to ignore security have written this down somewhere. THEY are the
one who made the decision based upon the Risk Analysis of the security
department, and therefore THEY are responsible if the security is
ps: this is another reason for security to be involved in all aspects of
the company from the start on any project. If you know what's going on
early enough in a project, you may be able to keep the worst of the
problems at bay. Of course, this doesn't help one whit with regards to the
topic of this thread in pen-test.