I have been doing pentesting for a long time now and I still get this weird feeling in my gut every time I get asked to do it. This is just my personal rant and if you haven't been involved in testing the security of a company I am sure you don't understand.  Its just a weird feeling that it all relies on you. They ask you to come in and test their security. Let them know if they are safe or not. I always feel such a weight on me. Am I going to really see every thing? Am I going to catch every hole?  If I miss something and 2 weeks later it gets exploited, how do I look?  Did me missing one little thing I should have seen just compromised a lot of important data? Did that compromise hurt peoples lives?  Their personal information.  So many noobs want to get into ethical hacking because they see it has a fun and legal way to hack. Yes, there is truth to that, but there is so much more to it than that.  Its nothing like being a lone black hat hacker where you only answer to yourself.  You have to work and answer to a lot of people. REAL people that you see and not faceless victims on the net.  I guess the moral of this rant is you better make sure you really know what you are doing if you do a pentest!  If you certify a network as safe you better make sure.  You must have a passion to be the best!  Look at every person in every field that was great? Bruce Lee was a total nut about practicing his art. His wife claimed he even practiced in his sleep! Franz Liszt, the greatest pianist of all time practiced his fingers when he was eating dinner or while riding in a stage coach.  If you want to be good you must practice and have an obsession.
That doesn't mean read a lot of theory books!   Practice, Practice, Practice!  Eat, drink and sleep hacking if you want to be in the top 10 in the world. Dont settle for being average. Remember as an ethical hacker people are depending on your skill. If you say your network cant be breached, make damn sure its true!

When you pen test, do you use already-made programs, or your own?

I've been doing this a while now too and I think you're being a little melodramatic.

A pentest provides management with information about the condition of risks and internal controls at a given point in time. Future changes in environmental factors and actions by staff, etc... will impact these risks and internal controls in ways that the pentester cannot anticipate.

Pentests all have a scope. I strongly doubt that every pentest you've been involved in covers the company's entire infrastructure. A company of any reasonable size will define the scope of the pentest and as such their will be substantial limitations to your view into that environment. Are you only testing the internet facing hosts of the company or internal servers too? are DOS attacks fair game? what about user workstations, the users themselves? A pentest is an *attempt* to simulate an attack by a malicious outsider, employee, etc... Any attacker is going to have no such restrictions.

I have just completed a engagement and the internal assessment portion covered very, very specific hosts/servers. This was supposed to be a subset of devices/hosts representative of all their server environment. Turns out that the manager had told the sysadmins about the pentest and they went and patched/reconfigured those machines. Now if I had not been informed of this my report would have stated that based on my findings they were in good shape. Where does my responsibility lie if they get compromised through another server in that data center that they did not patch and the attacker gains access to one of the servers that I vetted and assessed? In that case we actually expanded the scope to include the entire server subnet. We founds LOTS of ingress points.

We, as pentesters, have limitations to what we can or cannot do in a pentest. Attackers don't.

I understand the need to provide a quality service that you can be proud of but how is the responsibility yours if two weeks later a system in their network gets compromised. Sure, if it's one you assessed and it was compromised through a known exploit that was out at the time then, yes, that's probably your responsibility and you should reevaluate your skillset.

The level of your responsibility is directly related to the scope of the engagement. 

I understand the point you are trying to make in that we should take pride in our work and provide the best results possible every time but I think you should be a little clearer on just what that responsibility is, especially considering the number of requests this site sees from people starting out in this or other related fields.

dean

LOL, as I stated in my post this was my personal rant. I was attempting blow off a little steam and didn’t expect this post to be scrutinized line by line, but whatever, this is the internet and I should expect that. If my point went over anyones head I apologize and will attempt to be more clear in the future. What inspired my rant was having just completed an audit where the previous tester missed some very obvious openings. Really no excuse for that other than just being lazy or rushing through an assignment. Of course I understand elements can change beyond our control, but what I was trying to stress is when a pentester misses  something he should have seen. Especially something obvious. All we can do is provide the best service and be complete. If we have done a good job and later the network is breached, well thats beyond our control. I guess I wasnt clear.

I was being intentionally melodramatic and hoping to stress a point and for that I make no apology.   I think its important that every pentester should approach his work seriously and understand the repercussions if he is sloppy in his work.  Its important that your client understands that you are aware of this and you are treating his network like your own. Yes we are busting boxes but those boxes can effect people’s lives.  I have been involved in this work for years and my clients want and trust me because I do take it very seriously and perhaps a bit melodramatic in my understanding of my responsibility.   My priority is not to approach a gig like a cold robot and protecting myself with disclaimers, which happens way to often in this line of work.   My clients really appreciate my approach and its due to this that I have more work than I can handle.  Thats why I don’t always have the time to write lengthy detailed posts critical or otherwise. 

Like I said, sorry if my you missed the point of my post which is obvious you did, but  I will try to make my posts more clear. That "rant" took less than 5 minutes to type out, so not much time spent. Now I feel I am starting to waste a little time with this thread, lol. Actually I don't mind criticism, its when I feel my point was not understood that bothers me. I thought I made it clear I was addressing the problem of a pentester missing something and not elements outside our control. Your post went on and on about elements outside our control and therefore we should not hold ourselves accountable.  I agree completely with that and never stated anything contrary to that.

Also, discouraging anyone from posting here is not appreciated. We need more participation here not less.

LOL, good point and thanks for now making me laugh.

Hey thanks and I agree.