From: Peter Wood (peterw@firstbase.co.uk)
Date: Thu Jun 24 2004 - 08:02:09 EDT
At 09:27 23/06/2004 -0700, Toby Barrick wrote:
>During my many years of pen testing one common thread when dealing with
>customers has been the request to not perform any destructive or DOS type
>testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just
>a single machine and the tests that can be accomplished with that machine.
>IMHO abiding by that request is really short changing the customer and
>skewing the results. Additionally a lot of companies don't want their
>applications poked at either.
>
>What has been the experience of the members on this list? Do you just
>gleefully accept the check and any limitations imposed on testing or do
>you push for a "complete" suite of tests?
We accept a brief excluding DoS attacks, as most clients just won't support
DoS testing. However we include appripriate caveats in our report and
continue to suggest they do these tests.
regards
Pete
--------------------------------------------------------------------------------------------------------------------------------
www.fbtechies.co.uk
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT