Any company contracting for Penetration Testing should make sure that this is a separate activity from re-mediating the vulnerabilities that the Pen Test finds. Otherwise a person who is contracted to do both could:
a. just happen to ONLY find vulnerabilities that he/she can definitely fix.
b. fix just enough vulnerabilities to ensure another follow-on engagement.
c. be reluctant to tell the client that there are just some things that they might have to accept as risky given a particular business model.
On the flip side, be leery of any Pen Tester who offers to do both testing and remediation without at least warning you that this is not the best approach.
http://www.linkedin.com/groups?viewMemberFeed=&gid=38412&memberID=2432590
No comments:
Post a Comment