Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verify Your Security Provider -- The truth behind manual testing.

From: Justin Ferguson <jnferguson () gmail com>
Date: Sat, 18 Jul 2009 02:28:59 -0700
I'm a pentester, but i have to say that pentest is only the first stage when
you show the impact and risk of an attack to justify a more extensive and
white box based security plan.


I'm curious as to your reasoning for not just skipping the foreplay
assessment and selling the customer what they apparently needed in the
first place (whitebox review), and to consider the ethical
implications of charging your customer X thousand dollars for a
service which is just the precursor to the service they needed/youre
going to recommend at the end.

Sans DRM, anti-debugging/disasm, et cetera related engagements, why
would a blackbox assessment ever be better for improving the security
of a client?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: