mailing list archives
[PEN-TEST] FW: Penetration Testing Ethic
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 13 Sep 2000 15:51:54 -0500
In the past, I know of many situations such as this one,
but It all comes back to letting the pen-tester know that
they are not the only one that is going to be used. This
will usually make the pen-tester perform a complete fix-up
if it's requested. Whenever I come back to a client site
after a 6 month or year has lapsed, I will often find new
holes anyway... Things have been discovered that weren't
known about a year ago... Things may not have been
upgraded... and some new things may have been installed
which opens up some vulnerability. Trust me, an honest
pen-tester usually has no problem finding a new hole after
one year, and if they are asked why you didn't catch the
problem last year, you will truly have a good answer.
In reality, if someone comes in today, performs a pen-test
and "fixes" my network, and comes back next year, saying
they found that I was running bind-8.1.1 on my nameserver,
and nothing's been done to my nameserver since the last
pen-test... I, personally, will ask why the hell the tester
did not find that last year!
In general, letting the tester know "he/she is not the only
one" will get their attention. Also, the tester should let
at least one technical person supervise them if they are
performing the tests on-site. If the tester is
uncomfortable with this, there could be something wrong.
Lust my $0.04 (and some info from past experiences)
From: Mathew Bevan [mailto:listhandler () NTLWORLD COM]
Sent: Wednesday, September 13, 2000 11:53 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Penetration Testing Ethic
This follows on from the pen testing cost thread, Alexander Sarris raised
the point about being sold repairs multiple times..
I have always had a problem with companies that not only perform the
security audit and make recommendations but perform the fixes as well... Is
it not in their interest to leave a few holes here and there so that their
report doesnt look so bare when they come back for repeat testing..
Obviously this is and ethical issue and something I feel shouldnt happen,
this operating on both sides of the fence situation..
What does everyone else feel about this?
Mathew Bevan aka Kuji (RL 1994)
- [PEN-TEST] FW: Penetration Testing Ethic Dunker, Noah (Sep 14)