Penetration Testing mailing list archives
RE: Pen testing a off-site web server
From: "Mike Forrester" <mikef () pocketlint com>
Date: Wed, 30 May 2001 12:34:40 -0600
Another thing that might need to be discussed during the approval process is the disclosure of the results of the test to the web-hosting company. Someone is paying you to audit their services, but does the hosting company get this information for free? I did an audit of a web-based content delivery service that one of our departments wanted to use. They sent us an eval server and I broke into it fairly easy (RDS bug :) ). I wrote a detailed document for internal use stating all the security problems with their server. One of the managers of the project just emailed the entire doc to the company that provided the eval server. Basically, they got a nice detailed security audit for free. The problem is how do you have them fix all the bugs or justify to management that the security of the product or service sucks without providing free security consulting to all of your vendors? You are providing security awareness and potential increasing the company's security, but should you be doing it for free? We haven't really come up with a solution to the dilemma. How have others addressed this? Mike
Current thread:
- Pen testing a off-site web server Franklin DeMatto (May 22)
- Re: Pen testing a off-site web server Meritt James (May 22)
- Re: Pen testing a off-site web server batz (May 22)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- RE: Pen testing a off-site web server Mike Forrester (May 31)
- RE: Pen testing a off-site web server Jim Huddleston (May 23)
- <Possible follow-ups>
- RE: Pen testing a off-site web server Graham, Randy (RAW) (May 22)