Re: Ethics (testing and mitigation)



Why wouldn't it be ethical? Isn't that half of what a pentest/VA/etc.
business does? Aren't they supposed to inform the customer on how to
potentially fix the problem? Granted, you wouldn't necessarily know
everything about their environment, codebase (especially if you just
blackboxed it), whatever, but if you firewalked their firewall, for
example, why wouldn't you point them to someone in your company who is
good with ACLs?

As for the rest of the questions, I think that's where the ethics come
in. Selling someone something just because you profit from it the most
is, in my opinion, unethical. I think services in this situation
should be sold in a such a way that they are more ala carte. That's
just my random thoughts. :)

Now I await the flood of ooo emails ...

On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner@xxxxxxxxx> wrote:
Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
mitigation services? If so, under what context? How to guard against the
tendency to try to sell a customer the solutions that profit you the
most instead of those that the customer needs the most? Should services
be sold as a single blanket package or priced in such a way as to
minimize this effect? How does this damage your credibility as an
impartial tester?

You don't have to answer all of this, just looking for discussion along
these lines.
--
Tony L Turner CISSP/CISA/GSEC/ITIL
IT Security/Disaster Preparedness Consultant






Relevant Pages

  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... to them with a business plan for a new firewall company. ... there definitely *is* some niche market demand for it. ... Because 95% of their target customer base would ignore ...
    (Firewall-Wizards)
  • Re: Securemote Problem
    ... If you are not the firewall admin on the remote system, ... > I am having trouble connecting to a customer site using Securemote. ... > I cannot access any network resources on the customer network, ... > internet connection is a LAN connection from the DG824M. ...
    (comp.security.firewalls)
  • Re: defeating firewalls made easy
    ... > fault defeats the firewall as opposed to software fault. ... > if the customer and the contractor cannot advertise each other's products ... > business, appears unwilling to abandon microsoft products. ... > rather whether a user friendly security suite of products can be assembled ...
    (comp.security.firewalls)
  • Re: defeating firewalls made easy
    ... fault defeats the firewall as opposed to software fault. ... but if the purpose of the internet = liberal exchange of information, ... if the customer and the contractor cannot advertise each other's products ...
    (comp.security.firewalls)
  • Re: bridging firewall => proftpd issue.
    ... It seems that just as I installed this firewall, a customer ... > passive ports in Proftpd. ... > The customer did not have any issues prior to installing the Freebsd ...
    (freebsd-isp)