Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Penetration Testing Ethic
From: H Carvey <keydet89 () YAHOO COM>
Date: Thu, 14 Sep 2000 10:50:29 -0000


I have always had a problem with companies that 
not only perform the
security audit and make recommendations but 
perform the fixes as well... Is
it not in their interest to leave a few holes 
here and there so that their
report doesnt look so bare when they come back 
for repeat testing..


Regardless of ethics and business decisions, this 
just doesn't make sense to me.  After all, a 
consulting company is called in to do a 
penetration test (or for the sake of this 
discussion, it could also be a vulnerability 
assessment), finds holes, etc.  They then write up 
a report (which one sincerely hopes is NOT simply 
accepted w/o review) that should contain not only 
a listing of the vulnerabilities found, but a 
prioritized workflow of how for dealing with the 
discoveries.  

At this point, the owning company should review 
the final report, and address the issues based 
upon their business needs, staffing and resources 
available, etc.  Most importantly, the owning 
company should be the ones to apply the fixes!  
Why?  B/c they live with the infrastructure...who 
better to fix it?  

Carv


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]