Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Penetration Testing Ethic
From: Bennett Todd <bet () RAHUL NET>
Date: Wed, 13 Sep 2000 16:44:20 -0400

2000-09-13-12:52:51 Mathew Bevan:
I have always had a problem with companies that not only perform
the security audit and make recommendations but perform the fixes
as well... Is it not in their interest to leave a few holes here
and there so that their report doesnt look so bare when they come
back for repeat testing..

Nope. If one organization is both testing and fixing, then they'll
have to document why the problem occurred; it'll have to be either
something they didn't know about before, or a result of some change
made by the customer.

If they didn't know about it before, they'll need to be documenting
(typically with the URL of the bugtraq announcement) how they came
to learn about it since the last scan --- if there's a continuing
pattern of stuff that they didn't find in previous scans, that were
old news when those scans were made, then they aren't doing their


Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]