Penetration Testing mailing list archives
Re: They will protect me (won't they?)
From: Dotzero <dotzero () gmail com>
Date: Tue, 10 Feb 2009 17:39:29 -0500
On Mon, Feb 9, 2009 at 1:33 PM, Adriel T. Desautels <ad_lists () netragard com> wrote:
One of my recent thoughts and blog entries... So the other day I was talking with my buddy Kevin Finisterre. One of the things that we were discussing was people who just don't feel that security is an important aspect of their business because their customers don't ask for it. That always makes my brain scream "WHAT!?". Here's a direct quote from a security technology vendor "We don't perform regular penetration tests because our customers don't ask us to do that."
If the customer doesn't contract with that vendor for that particular service why would it be the vendors obligation. I use multiple vendors in the security services area and some I find stronger in some services and others stronger in other services. Sometimes I split things up for other reasons. I don't want my auditor doing my pentests. I view a vendor doing both as a conflict of interest.
Isn't it the service provider's/vendor's responsibility to properly manage and maintain the security of their infrastructure? Don't they have an ethical obligation to their customers to protect the service that they are offering and any information that the customers decide to store on their systems?
It depends on the agreement and in some circumstances it may depend on regulatory or contractual compliance obligations that derive from the contract.
The real question is, how many customers would they lose if the customers heard them say that? That is after all just like saying "We don't care about security because our customers aren't asking us to care about it."
Actually, they probably wouldn't lose many. It's not that the vendor doesn't care about security, it's that the scope of what they are providing is constrained by what the client/customer says they want. Flip it around.... how many vendors will walk away from a "bad" customer? .... particularly if that customer is a lucrative one?
So who have I heard this from? Here's the (very) short list: • Vendors that make security software (like email gateways, anti-virus technology, Intrusion Prevention Systems, etc). • Vendors that make technology that is used to control our Nuclear Power Plants, Water Purification Plants, Traffic Control Systems, etc. • Vendors that sell business enabling technologies like PHP based Content Management Systems, Commercial Web Servers, Server based applications, Web Applications, etc. • Vendors that sell desktop applications like Financial Tracking Systems, Invoicing Systems, File Sharing Systems, Backup Solutions, etc. • I've also heard this from MAJOR Service Providers such as Web Hosting Providers, Email Providers, Backup Service Providers, etc. • The list goes on.... I think that people need a wake up call. This strikes me as a serious ethical issue, what about you? Leave me a comment I'm very interested in feedback on this one.
I don't know that I would call it an ethical issue. It is certainly an issue and a serious one. Unfortunately it will probably take a serious incident for the wake up call you mention. Just a few thoughts.
Current thread:
- They will protect me (won't they?) Adriel T. Desautels (Feb 10)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Sat Jagat Singh (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Dotzero (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Message not available
- Message not available
- Fwd: They will protect me (won't they?) Dotzero (Feb 11)