Re: Pen Test Success Factors
('binary' encoding is not supported, stored as-is)
You could always offer fixing the exploits and vulnerabilities. That would truly be a great success factor they would love. You could indeed generate a full report of all events that took place with custom comments to IT staff/administrators in pointing out problems, suggestions, and common feedback. Also, you might want to expand your findings with the additional testing of odd behaviors or functionalities by testing for SSL and changing HTTPS protocols to boost your results and raise the customers confidence, and of course security. Also, you should if you have not already, test for logical flaws, which have to be done manually and explained throughly, and can be quite effective, and is almost exactly what the customers want to hear, because of the non-technical terms involved to demonstrate or explain the attack(s). You should also explain that every bit of exploit or vulnerability is important. Don't let them justify that XSS isn't serious, (which most company's do). Expl
ain to them that every bit of information assembled is indeed quality for an attacker. Also, you should speak with the CTO or the IT Staff so that they can better understand your concerns, as most business owners, just don't because of the lack of security information and what is normally embedded.
-Yousif Yalda
-Security Consultant
-http://Vapt-Sec.Com
-http://YousifYalda.BlogSpot.Com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:58:25 EDT