|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dotzero (dotzero
gmail.com)
Date: Wed Mar 04 2009 - 07:43:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, Feb 28, 2009 at 9:04 PM, Tony <tony_l_turneryahoo.com> wrote:
> Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
> mitigation services? If so, under what context? How to guard against the
> tendency to try to sell a customer the solutions that profit you the
> most instead of those that the customer needs the most? Should services
> be sold as a single blanket package or priced in such a way as to
> minimize this effect? How does this damage your credibility as an
> impartial tester?
>
> You don't have to answer all of this, just looking for discussion along
> these lines.
> --
> Tony L Turner CISSP/CISA/GSEC/ITIL
> IT Security/Disaster Preparedness Consultant
>
Tony,
I don't necessarily think it is unethical. I think it can easily
become problematic.
For that reason I generally won't contract other services from vendors
we use for VA or pentesting. I'd also point out that pentesting is a
distinctly different set of skillsets from implementing security and
controls. The fact that an organization is good at pentesting does not
mean that organization is a good choice for implementing an IDS or
configuring a firewall (doesn't mean they aren't, just that they don't
go hand in hand).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]