Re: Limited vs full blown testing
From: Martin Mačok (martin.macok_at_underground.cz)
Date: 06/24/04
- Previous message: Rosado, Rafael (Rafael): "SecurityExpressions from Pedestal Software"
- In reply to: Toby Barrick: "Limited vs full blown testing"
- Next in thread: Markowsky, Tyler: "RE: Limited vs full blown testing"
- Reply: Markowsky, Tyler: "RE: Limited vs full blown testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jun 2004 23:01:50 +0200 To: pen-test@securityfocus.com
On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:
> During my many years of pen testing one common thread when dealing
> with customers has been the request to not perform any destructive
> or DOS type testing.
Tell them that the purpose of the test is *to test* (i.e. to try
something) and the only thing you can do to not break anything is to
not try anything at all. Maybe they want an audit instead of
a pen-test and they just don't know the terms and the meanings.
If they are so scared, negotiate the exact time of potentially
destructive/aggressive tests.
Use Nessus with "safe checks" turned on for "polite" scans... You can
also disable all "DoS" family plugins in Nessus.
Martin Mačok
IT Security Consultant
- Previous message: Rosado, Rafael (Rafael): "SecurityExpressions from Pedestal Software"
- In reply to: Toby Barrick: "Limited vs full blown testing"
- Next in thread: Markowsky, Tyler: "RE: Limited vs full blown testing"
- Reply: Markowsky, Tyler: "RE: Limited vs full blown testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
