Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Limited vs full blown testing

From: Peter Wood <peterw () firstbase co uk>
Date: Thu, 24 Jun 2004 13:02:09 +0100
At 09:27 23/06/2004 -0700, Toby Barrick wrote:
During my many years of pen testing one common thread when dealing with customers has been the request to not perform any destructive or DOS type testing. When I speak of DOS, I'm not talking about DDOS, I'm talking just a single machine and the tests that can be accomplished with that machine. IMHO abiding by that request is really short changing the customer and skewing the results. Additionally a lot of companies don't want their applications poked at either.
What has been the experience of the members on this list? Do you just gleefully accept the check and any limitations imposed on testing or do you push for a "complete" suite of tests?
We accept a brief excluding DoS attacks, as most clients just won't support DoS testing. However we include appripriate caveats in our report and continue to suggest they do these tests. 

regards
Pete

--------------------------------------------------------------------------------------------------------------------------------
www.fbtechies.co.uk
Previous By Date Next
Previous By Thread Next

Current thread: