Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Dotzero (dotzerogmail.com)
Date: Wed Mar 04 2009 - 07:43:18 CST
On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turneryahoo.com> wrote:
> Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> mitigation services? If so, under what context? How to guard against the
> tendency to try to sell a customer the solutions that profit you the
> most instead of those that the customer needs the most? Should services
> be sold as a single blanket package or priced in such a way as to
> minimize this effect? How does this damage your credibility as an
> impartial tester?
> You don't have to answer all of this, just looking for discussion along
> these lines.
> Tony L Turner CISSP/CISA/GSEC/ITIL
> IT Security/Disaster Preparedness Consultant
I don't necessarily think it is unethical. I think it can easily
For that reason I generally won't contract other services from vendors
we use for VA or pentesting. I'd also point out that pentesting is a
distinctly different set of skillsets from implementing security and
controls. The fact that an organization is good at pentesting does not
mean that organization is a good choice for implementing an IDS or
configuring a firewall (doesn't mean they aren't, just that they don't
go hand in hand).