Penetration Testing mailing list archives
RE: Limited vs full blown testing
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Thu, 24 Jun 2004 10:03:59 +0100
Well, I will reply as an IT Architect: in my former company, I had to perform some vuln's testing in our networks, and what we did was: - I warned the management of what I was doing, telling them clearly that some test may crash the machines. - Told them as well that if the system admins did their job, no vuln will be found and the world will be better :) - So I perform all my checking, 4 old unpatched NT production servers crashed, the admins in charge of these machines were given a roasting and we discover (how strange! : ) ) that some machines were not always up-to-date... So, I will accept full-blown testing as a manager, but before I will warn the admins of what we will be doing, to be able to restart the machines if any trouble occurs or to face any trouble which could occur. HTH. -----Message d'origine----- De : Toby Barrick [mailto:TBLinux () covad net] Envoyé : mercredi 23 juin 2004 17:28 À : pen-test () securityfocus com Objet : Limited vs full blown testing All, During my many years of pen testing one common thread when dealing with customers has been the request to not perform any destructive or DOS type testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just a single machine and the tests that can be accomplished with that machine. IMHO abiding by that request is really short changing the customer and skewing the results. Additionally a lot of companies don't want their applications poked at either. What has been the experience of the members on this list? Do you just gleefully accept the check and any limitations imposed on testing or do you push for a "complete" suite of tests? Thanks in advance! T
Current thread:
- Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
- IE caching issue jatkinson (Jun 27)
- Re: IE caching issue Daniel Staal (Jun 28)
- IE caching issue jatkinson (Jun 27)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 28)