mailing list archives
Re: [PEN-TEST] Penetration Testing Ethic
From: edison <edison () DHP COM>
Date: Wed, 13 Sep 2000 16:46:55 -0400
I don't know about anyone else, but I'm _thrilled_ when a report comes
back bare. But it's not uncommon for corporations to choose different
pen-test companies each year/test. If that were the case, then I
definitely would want the succeeding report to be empty.
On Wed, 13 Sep 2000, Mathew Bevan wrote:
This follows on from the pen testing cost thread, Alexander Sarris raised
the point about being sold repairs multiple times..
I have always had a problem with companies that not only perform the
security audit and make recommendations but perform the fixes as well... Is
it not in their interest to leave a few holes here and there so that their
report doesnt look so bare when they come back for repeat testing..
Obviously this is and ethical issue and something I feel shouldnt happen,
this operating on both sides of the fence situation..
What does everyone else feel about this?
Mathew Bevan aka Kuji (RL 1994)
- Re: [PEN-TEST] Cost of Penetration Testing, (continued)