RE: Limited vs full blown testing

From: Bénoni MARTIN (Benoni.MARTIN_at_libertis.ga)
Date: 06/24/04

  • Next message: Jerry Shenk: "RE: Limited vs full blown testing" 
    Date: Thu, 24 Jun 2004 10:03:59 +0100
To: "Toby Barrick" <TBLinux@covad.net>, <pen-test@securityfocus.com>

    Well, I will reply as an IT Architect: in my former company, I had to perform some vuln's testing in our networks, and what we did was:
    - I warned the management of what I was doing, telling them clearly that some test may crash the machines.
    - Told them as well that if the system admins did their job, no vuln will be found and the world will be better :)
    - So I perform all my checking, 4 old unpatched NT production servers crashed, the admins in charge of these machines were given a roasting and we discover (how strange! : ) ) that some machines were not always up-to-date...

    So, I will accept full-blown testing as a manager, but before I will warn the admins of what we will be doing, to be able to restart the machines if any trouble occurs or to face any trouble which could occur.

    HTH.

    -----Message d'origine-----
    De : Toby Barrick [mailto:TBLinux@covad.net]
    Envoyé : mercredi 23 juin 2004 17:28
    À : pen-test@securityfocus.com
    Objet : Limited vs full blown testing

    All,

    During my many years of pen testing one common thread when dealing with
    customers has been the request to not perform any destructive or DOS
    type testing. When I speak of DOS, I'm not talking about DDOS, I'm
    talking just a single machine and the tests that can be accomplished
    with that machine. IMHO abiding by that request is really short changing
    the customer and skewing the results. Additionally a lot of companies
    don't want their applications poked at either.

    What has been the experience of the members on this list? Do you just
    gleefully accept the check and any limitations imposed on testing or do
    you push for a "complete" suite of tests?

    Thanks in advance!

    T

  • Next message: Jerry Shenk: "RE: Limited vs full blown testing"

    Relevant Pages

    • Re: Stand-alone DOS for modern computers?
      ... Optical Mark Reading and the best heavy-duty machines used RS232c ... ports which Windows has taken away the access to in DOS, ... Only one small machine is needed to control OMR readers, ... one of which can set the active partition. ...
      (comp.os.msdos.programmer)
    • Re: Surprising threading issue
      ... So, if you write code to limit your use of a remote web service such that the code relies on timing in a single process and that process is executing on multiple machines, you end up circumventing the logic. ... When you make a request to the remote web server, you can record the fact that the request was made and include logic in your class to check the database before it makes a call to see if it can and if not, how long it is going to have to wait. ...
      (microsoft.public.dotnet.framework)
    • Re: WANTED: 486 or Pentium laptop to run DOS 6.22
      ... I posted a recommended list of machines for people who want to run DOS on here some time ago. ... It will have a CD and it would run Windows 98SE fine if you ever want to do so, but will also run DOS just fine. ... it will then support FAT32 and large hard drives). ...
      (comp.sys.laptops)
    • RE: Serious issue: parts of my page render as not logged in, parts as
      ... Make sure the cookie path is the same on all machines. ... It seems to happen to an entire control. ... Forms authentication failed for the request. ... Thread account name: NT AUTHORITY\NETWORK SERVICE ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Access awake after 7 years?
      ... > who have DOS based machines. ... > But then what if they have only Commodore 64's? ... > db for the Commodore 64 called Oracle (no Really, ... running Windows 3.1 or DOS 6.0. ...
      (comp.databases.ms-access)