Re: Limited vs full blown testing
From: Peter Wood (peterw_at_firstbase.co.uk)
Date: 06/24/04
- Previous message: Richard Rager: "Re: Limited vs full blown testing"
- In reply to: Toby Barrick: "Limited vs full blown testing"
- Next in thread: R. DuFresne: "Re: Limited vs full blown testing"
- Reply: R. DuFresne: "Re: Limited vs full blown testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jun 2004 13:02:09 +0100 To: pen-test@securityfocus.com
At 09:27 23/06/2004 -0700, Toby Barrick wrote:
>During my many years of pen testing one common thread when dealing with
>customers has been the request to not perform any destructive or DOS type
>testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just
>a single machine and the tests that can be accomplished with that machine.
>IMHO abiding by that request is really short changing the customer and
>skewing the results. Additionally a lot of companies don't want their
>applications poked at either.
>
>What has been the experience of the members on this list? Do you just
>gleefully accept the check and any limitations imposed on testing or do
>you push for a "complete" suite of tests?
We accept a brief excluding DoS attacks, as most clients just won't support
DoS testing. However we include appripriate caveats in our report and
continue to suggest they do these tests.
regards
Pete
--------------------------------------------------------------------------------------------------------------------------------
www.fbtechies.co.uk
- Previous message: Richard Rager: "Re: Limited vs full blown testing"
- In reply to: Toby Barrick: "Limited vs full blown testing"
- Next in thread: R. DuFresne: "Re: Limited vs full blown testing"
- Reply: R. DuFresne: "Re: Limited vs full blown testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
