Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration Testing Scheduling

From: Dotzero <dotzero () gmail com>
Date: Mon, 28 Apr 2008 16:48:08 -0400
On 26 Apr 2008 19:58:37 -0000, Yousif () vapt-sec com <Yousif () vapt-sec com> wrote:

I've heard a lot of folks say that telling your customers exactly when you will begin the testing is  not suitable, 
but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment 
and let them know it's within a week or so, or do you simply inform them the date and time specifically?



I always require the vendor to provide specific dates and timeframes
as well as originating IP addresses if a pentest involves our
production environment. I provide this information to the IDS team but
may only give a general heads up to neteng and other teams. We also
have a requirement that we have direct phone numbers for the pentest
team. If we see anyting untoward I will contact them. I also expect
them to contact me immediately if they think they "broke" something.

This is all part of the contract.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: