Re: Penetration Testing Scheduling

Yousif@xxxxxxxxxxxx wrote:
I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker. I'm getting worthless comments from people telling me that I should always have permission before security testing, but keep in mind that everyone knows that, commentary like that is just useless. Now, to focus on the question, let's say both parties agree to fulfill the security testing, and the contracts have been signed, and the setup in general has been completed. To go on with your testing, do you let them know exactly a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to have a choice, but I'm looking more for the "right" thing to do..
We settle on the start date before the contract is signed, unless the client has a specific requirement that they shouldn't know when we begin (they almost never do). If we don't have a specific window for testing (e.g., 6p-6a), we start whenever we're ready on the agreed upon date, else, we generally kick it off at the beginning of the window.

I used to be on the receiving end of PT services, and it was the same when I was the client. We'd negotiate an approximate start date, and the start time would fall somewhere within the "maintenance" window for testing.

-jp

--
"Companies will say, "We can Web 2.0ify your existing applications in 15 minutes - we've got a wrapper". These people are charlatans, and you should punch them in the face. They are taking your back-end database tiers and moving them to the perimeter." - Billy Hoffman, HPSW Security Labs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Building Contract. Please help.
    ... we do think the client has cohersed us into doing ... <pasting of contract wording> ... This quotation is a fixed price for the works to completion. ... Central pendant light fitting. ...
    (uk.legal)
  • Re: Rem Desktop conflict with Interactive Logon Message
    ... > for users" window is not sent to the RD client. ... In the Group Policy window, which is focused on the Default Domain ... Security Settings, then to Local Policies, and select Security Options. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Please help. I am being sued through a court. How do I respond?
    ... had offered to prepare a standard JCT building contract but did ... The client provided the drawings, ... actual costs by ensuring that a full vehicle would ... site-manager and, crucially, the job had a supervising Architect, ...
    (uk.legal)
  • Re: General OOA/D/P issues
    ... If you want to snip stuff back in do so. ... >> contravene the contract already in place. ... > Client and whoever provides the service. ... internal class Mouth: IConsumer ...
    (comp.object)
  • Re: Doc always seems to be on vacation on previously proposed paydays
    ... Well, December 1st came, no pay. ... I'm told that they are having trouble with the client paying them. ... at this point I do start threatening lawsuits and finally around mid-February I get paid and they say they no longer have the account. ... They finally tell us that the client is looking at bringing in another company to "compete" for the contract renewal. ...
    (sci.med.transcription)