Penetration Test Assistance

• Previous message (by thread): Penetration Test Assistance
• Next message (by thread): IPv6 Facebook
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The bit of information that's missing here is what are you trying
to pentest, and by extension how much do you want to pay your pentest
firm?

For some folks a pentest means starting with zero information and
trying to get IP packets passed a firewall or IDS's undetected.
Basically pentesting layer 3 infrastructure.

For other folks a pentest is purely an application level exercise,
you give the pentester an account on your customer portal for
instance, a full network diagram, and let them try things like SQL
injection or cross site scripting at the applications layer.

Your pentest firm can start with zero information and work all the
way up to an application level attack, but that's costly and time
consuming.  Providing them some information is a way to short circuit
the process.

If you (or appropriate company representative) haven't already
discussed the pros and cons with your pentest firm you're off on the
wrong foot.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120605/c0ff3d92/attachment.sig>

• Previous message (by thread): Penetration Test Assistance
• Next message (by thread): IPv6 Facebook
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]