Re: Ethics (testing and mitigation)



On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turner@xxxxxxxxx> wrote:
Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
mitigation services? If so, under what context? How to guard against the
tendency to try to sell a customer the solutions that profit you the
most instead of those that the customer needs the most? Should services
be sold as a single blanket package or priced in such a way as to
minimize this effect? How does this damage your credibility as an
impartial tester?

You don't have to answer all of this, just looking for discussion along
these lines.
--
Tony L Turner CISSP/CISA/GSEC/ITIL
IT Security/Disaster Preparedness Consultant


Tony,

I don't necessarily think it is unethical. I think it can easily
become problematic.

For that reason I generally won't contract other services from vendors
we use for VA or pentesting. I'd also point out that pentesting is a
distinctly different set of skillsets from implementing security and
controls. The fact that an organization is good at pentesting does not
mean that organization is a good choice for implementing an IDS or
configuring a firewall (doesn't mean they aren't, just that they don't
go hand in hand).



Relevant Pages

  • Re: QC-proof cipher?
    ... operational concept of "insurance" is to make a profit of every customer? ... Precisely why they do NOT try to make a profit on each customer. ... the cost of a health insurance policy ...
    (sci.crypt)
  • Re: OT: new job :-)
    ... profit out of them - sometimes quite aggressively so. ... Some of the customer satisfaction is also down to the attitude of the ... But now big chains form most of the new car network, ... Mazda and Toyota at the top, Honda just below, and Nissan a *long* 4th ...
    (uk.rec.motorcycles)
  • RE: Calculating fields in pivot tables
    ... Drag customer field to the row field area ... Drag the gross profit field to the data field area 3 times. ...
    (microsoft.public.excel.misc)
  • Re: Pivot Table Divide By Zero
    ... >> revenue, cost, profit and percentage of profit on each of ... Sadly, in some cases our costs exceeded the revenue billed, and ... >> The problem is those jobs where we were unable to bill the customer ... >> costs that have to be paid. ...
    (microsoft.public.excel)