From: Bénoni MARTIN (Benoni.MARTIN@libertis.ga)
Date: Thu Jun 24 2004 - 05:03:59 EDT
Well, I will reply as an IT Architect: in my former company, I had to perform some vuln's testing in our networks, and what we did was:
- I warned the management of what I was doing, telling them clearly that some test may crash the machines.
- Told them as well that if the system admins did their job, no vuln will be found and the world will be better :)
- So I perform all my checking, 4 old unpatched NT production servers crashed, the admins in charge of these machines were given a roasting and we discover (how strange! : ) ) that some machines were not always up-to-date...
So, I will accept full-blown testing as a manager, but before I will warn the admins of what we will be doing, to be able to restart the machines if any trouble occurs or to face any trouble which could occur.
HTH.
-----Message d'origine-----
De : Toby Barrick [mailto:TBLinux@covad.net]
Envoyé : mercredi 23 juin 2004 17:28
À : pen-test@securityfocus.com
Objet : Limited vs full blown testing
All,
During my many years of pen testing one common thread when dealing with
customers has been the request to not perform any destructive or DOS
type testing. When I speak of DOS, I'm not talking about DDOS, I'm
talking just a single machine and the tests that can be accomplished
with that machine. IMHO abiding by that request is really short changing
the customer and skewing the results. Additionally a lot of companies
don't want their applications poked at either.
What has been the experience of the members on this list? Do you just
gleefully accept the check and any limitations imposed on testing or do
you push for a "complete" suite of tests?
Thanks in advance!
T
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT