RE: Limited vs full blown testing

• Previous message: Bénoni MARTIN: "RE: Limited vs full blown testing"
• In reply to: Toby Barrick: "Limited vs full blown testing"
• Next in thread: Richard Rager: "Re: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Toby Barrick'" <TBLinux@covad.net>, <pen-test@securityfocus.com>
Date: Thu, 24 Jun 2004 06:46:38 -0400

I just got one of them yesterday. At this point, I'm dealing with the
sales rep but basically I ask them, "If you have something that breaks,
wouldn't it be good to find it?" Then I back off a bit and tell them
that I can ratchet things back a bit not blast their network too hard.
I'll often offer to do the "heavy stuff" at some scheduled time.
Sometimes they have a particular legacy system that is critical to
production and they know it's "touchy" and they just want to keep it
running till they replace it. Basically, I'll do what they want but I
try to explain to them what they're asking for and, I try to talk them
out of it but if push comes to shove, I'll do what they want but those
stipulations get added to the final document.

Here's what I just sent that sales rep a few hours ago:

"There is always the possibility that in doing an audit, something will
do down. We're pretty careful to avoid that but sometimes it happens.
One of the specific things that we sometimes test is DOS (Denial of
Service) - in those cases, we actually try to bring things down so that
vulnerable hardware and software can be detected and fixed. For an
audit of a bank or something with critical infrastructure or services
using the internet, we would generally try to see how vulnerable they
are to a DOS attack. ...but, we can intentionally avoid them also."

-----Original Message-----
From: Toby Barrick [mailto:TBLinux@covad.net]
Sent: Wednesday, June 23, 2004 12:28 PM
To: pen-test@securityfocus.com
Subject: Limited vs full blown testing

All,

During my many years of pen testing one common thread when dealing with
customers has been the request to not perform any destructive or DOS
type testing. When I speak of DOS, I'm not talking about DDOS, I'm
talking just a single machine and the tests that can be accomplished
with that machine. IMHO abiding by that request is really short changing

the customer and skewing the results. Additionally a lot of companies
don't want their applications poked at either.

What has been the experience of the members on this list? Do you just
gleefully accept the check and any limitations imposed on testing or do
you push for a "complete" suite of tests?

Thanks in advance!

T

• Previous message: Bénoni MARTIN: "RE: Limited vs full blown testing"
• In reply to: Toby Barrick: "Limited vs full blown testing"
• Next in thread: Richard Rager: "Re: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]