RE: Limited vs full blown testing

• Previous message: S Walker: "RE: troubles wireless pen test"
• Maybe in reply to: Toby Barrick: "Limited vs full blown testing"
• Next in thread: El C0chin0: "Re: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Jun 2004 11:22:05 +0200
To: <pen-test@securityfocus.com>

Heyas,

I would recommend preparing a standard document detailing the tests (not
a full test plan, something dumbed-down for the suits), and also
detailing the pro's and con's of both doing the test, and NOT doing the
test. That way the customer can make an informed decision as to what to
do and what not to do.

Then, if you make the possible consequences of NOT doing the test
sufficiently scary, the customer is more likely to agree to actually
doing a test.

Also, it makes you look even more professional... just slap in document
control and a fancy header :)

 - M

-----Original Message-----
From: Toby Barrick

All,

During my many years of pen testing one common thread when dealing with
customers has been the request to not perform any destructive or DOS
type testing. When I speak of DOS, I'm not talking about DDOS, I'm
talking just a single machine and the tests that can be accomplished
with that machine. IMHO abiding by that request is really short changing

the customer and skewing the results. Additionally a lot of companies
don't want their applications poked at either.

What has been the experience of the members on this list? Do you just
gleefully accept the check and any limitations imposed on testing or do
you push for a "complete" suite of tests?

Thanks in advance!

T

• Previous message: S Walker: "RE: troubles wireless pen test"
• Maybe in reply to: Toby Barrick: "Limited vs full blown testing"
• Next in thread: El C0chin0: "Re: Limited vs full blown testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]