Security Basics mailing list archives
Re: Conflict of interests
From: David Schekaiban <david () codigoverde com>
Date: Tue, 5 May 2009 10:16:02 -0500
If you formally request and log your actions I don't think there would be a problem. The conflict of interests problem is usually something we see with coders. You can't, for example, code and test and approve something. If you are on the security team, you should get permission from the IT guys and the audit team to use root privileges to test and try something. Hope this helps and remember, whenever doing penetration and vulnerability testing you should have FORMAL authorization from management. This is sometimes called "get out of jail" card, so keep it in mind. Best regards, DS On Monday 04 May 2009 13:16:45 s0h0us () yahoo com wrote:
As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged access for unix and linux systems. Is it reasonable to request this type of access without causing any type of conflict of interest that internal auditors might question? I guess audit trails would come in handy here. Thanks for the feedback. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Conflict of interests s0h0us (May 04)
- RE: Conflict of interests Ian Bradshaw (May 05)
- RE: Conflict of interests Nick Vaernhoej (May 05)
- Re: Conflict of interests Sebastien MAHIEUX (May 05)
- Message not available
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests David Schekaiban (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests Aarón Mizrachi (May 06)
- RE: Conflict of interests Dave Kleiman (May 06)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Adam Pal (May 05)
- <Possible follow-ups>
- Re: Conflict of interests aaa . bbb (May 05)
- Re: Re: Conflict of interests raketomet (May 11)