Penetration Testing mailing list archives
Re: Penetration test report - your comments please?
From: chapin () ecs syr edu (Steve Chapin)
Date: Sat, 02 Jun 2001 16:03:19 -0400
- Advising that testing was limited and that undetected weaknesses may remain, although partly opinion, is NOT assuming any risk. On the contrary it is a comparatively weak, but very useful, form of disclaimer that shows the limits of the work done. Say it every time it is true. (A real disclaimer essentially says the you cannot be held liable for anything, not even if the work you did was useless or misleading. Unpleasant but true, look at any software User Agreement)
In reality, no pen test that I've ever seen can really make much of a statement about the security of a system. This is because (a) your results only reflect defects that are known today, and new ones will be found and exploits developed tomorrow, and (b) your results only apply to the configuration of the system at the time of the test. Any simple change, even as much as adding a single user, invalidates your testing. We put an extensive disclaimer explaining this in our contracts. The value in the pen test is finding open doors. A 3-hour test is going to have limited results in any event; it can only tell you that some of the more obvious, well-known doors are closed. You simply don't have enough time to conduct a thorough test. sc --
Current thread:
- Re: Penetration test report - your comments please? R. DuFresne (May 31)
- <Possible follow-ups>
- RE: Penetration test report - your comments please? pete (Jun 01)
- Re: Penetration test report - your comments please? Brian Nottle (Jun 02)
- Re: Penetration test report - your comments please? Steve Chapin (Jun 03)
- Re: Penetration test report - your comments please? Brian Nottle (Jun 02)
- RE: Penetration test report - your comments please? John M. Millican (Jun 03)