Re: Penetration test report - your comments please?

[chapin () ecs syr edu (Steve Chapin)]

> - Advising that testing was limited and that undetected weaknesses may
> remain, although partly opinion, is NOT assuming any risk. On the contrary
> it is a comparatively weak, but very useful, form of disclaimer that shows
> the limits of the work done. Say it every time it is true. (A real
> disclaimer essentially says the you cannot be held liable for anything, not
> even if the work you did was useless or misleading. Unpleasant but true,
> look at any software User Agreement)

In reality, no pen test that I've ever seen can really make much of
a statement about the security of a system.  This is because (a) your
results only reflect defects that are known today, and new ones will
be found and exploits developed tomorrow, and (b) your results only
apply to the configuration of the system at the time of the test.  Any
simple change, even as much as adding a single user, invalidates your
testing.

We put an extensive disclaimer explaining this in our contracts.
The value in the pen test is finding open doors.  A 3-hour test
is going to have limited results in any event; it can only tell
you that some of the more obvious, well-known doors are closed.
You simply don't have enough time to conduct a thorough test.

sc
--