To Fix or Not to Fix

 < Day Day Up > 

A security testing firm needs to decide if it will secure vulnerabilities found in the testing. One unethical practice of some network integration firms is to offer free penetration tests in return for being the preferred solutions provider to secure the company infrastructure. Because providing technology solutions is the ultimate goal of the firm, not assessing security, the integrator might state false or exaggerated claims on the company security to incur business. For example, although the risk to a firewall breach might be minimal, the report might embellish the severity of the vulnerability to turn around and sell a firewall solution to the customer.

Many penetration testing firms do not offer to fix security vulnerabilities they find. This is to avoid the temptation to embellish the report to gain business and to limit the liability threat. If a penetration testing firm offers suggestions on how to fix found vulnerabilities, but the solution does not secure the target adequately, the testing firm can be liable for false guarantees. However, it is not enough to mention vulnerabilities without specifying how to secure the problem. Therefore, the best practice is to provide a disclaimer that the solutions provided are suggestions only and that there is no guarantee that a host will be secured by following the suggestions.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net