|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Limited vs full blown testing
From: Peter Wood (peterw
firstbase.co.uk)
Date: Thu Jun 24 2004 - 07:02:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 09:27 23/06/2004 -0700, Toby Barrick wrote:
>During my many years of pen testing one common thread when dealing with
>customers has been the request to not perform any destructive or DOS type
>testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just
>a single machine and the tests that can be accomplished with that machine.
>IMHO abiding by that request is really short changing the customer and
>skewing the results. Additionally a lot of companies don't want their
>applications poked at either.
>
>What has been the experience of the members on this list? Do you just
>gleefully accept the check and any limitations imposed on testing or do
>you push for a "complete" suite of tests?
We accept a brief excluding DoS attacks, as most clients just won't support
DoS testing. However we include appripriate caveats in our report and
continue to suggest they do these tests.
regards
Pete
--------------------------------------------------------------------------------------------------------------------------------
www.fbtechies.co.uk
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]