Re: Penetration Testing Scheduling
- From: Dotzero <dotzero@xxxxxxxxx>
- Date: Mon, 28 Apr 2008 16:48:08 -0400
On 26 Apr 2008 19:58:37 -0000, Yousif@xxxxxxxxxxxx <Yousif@xxxxxxxxxxxx> wrote:
I've heard a lot of folks say that telling your customers exactly when you will begin the testing is not suitable, but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment and let them know it's within a week or so, or do you simply inform them the date and time specifically?
I always require the vendor to provide specific dates and timeframes
as well as originating IP addresses if a pentest involves our
production environment. I provide this information to the IDS team but
may only give a general heads up to neteng and other teams. We also
have a requirement that we have direct phone numbers for the pentest
team. If we see anyting untoward I will contact them. I also expect
them to contact me immediately if they think they "broke" something.
This is all part of the contract.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- References:
- Penetration Testing Scheduling
- From: Yousif
- Penetration Testing Scheduling
- Prev by Date: Re: IPv6 Fuzzing
- Next by Date: Re: IPv6 Fuzzing
- Previous by thread: Penetration Testing Scheduling
- Next by thread: Re: Penetration Testing Scheduling
- Index(es):
