Re: What is your policy on customers particapating in a pen test?

[Vanja Hrustic <vanja () relaygroup com>]

On Tue, Jun 19, 2001 at 01:59:45AM -0400, Joe Klein wrote:
> All:
>
> I am hearing customers request ( and some times demand ) that they be part of a
> pen test.
>
> Currently, we offer the customer 4 - 8 hours of time to review findings and show
> them what we did, to access there systems. But we do this after the pen test is
> complete.
>
> I was wondering how other companies deal with this issue?

There is no reason you shouldn't let them see what you are doing.

In some cases, you don't even have a choice. In some countries (at least in Asia-Pacific region) banks (or insurance 
companies) must have a 3rd
party 'audit' (as they call pen-test) performed from their premises, or at least from the 'soil' where the company is 
located. Sounds silly, but
it's true. Usually, you'd have to do it in their offices, with few people watching what you're doing. Granted, 1st day 
they might be staring at your
screen, but next day they might be just reading newspapers while you're doing your stuff.

In case you're doing some work for govts, you will have to do the job from their office, using their equipment, with 
their people never leaving you
alone in a room.

Some companies argue that they can't let anyone see what they're doing, because of their 'proprietary techniques'. 
Right - pentesting is really a
rocket science, isn't it? ;) That's pretty crappy argument, and from what I've "heard", few companies basically use 
that argument in order to make
sure the clients don't see that pentest consists of running ISS or CyberCop or Nessus.

Bottom line: get used to requests like this, since it's becoming a requirement (as a part of a law) in some countries.

Vanja