Forgive me for being blunt or ignorant if I'm missing something...

But as a penetration tester, your role is not to make those decisions. Your role is to find the vulnerabilities, try to exploit them, and report them. This is your role, so that the person paid to make the decisions has all the necessary information to make a well-informed decision that will benefit the company and its investors.

Period.

I think he's saying they are contracting out the pentest and they're not doing it internally, right l33t?

If this is the case and you think there are issues with the contract, you just need to try and communicate your concerns. I don't know your role in the company but try not to sound like you're panicking or that that sky is falling. Use real data like, "remember when we had xyz problem and it took 6 months to fix? Well, we think there might be 100 of these vulnerabilities so the pentesting companies contract seems a little unrealistic."

Management will hopefully make decisions on real data or projected data, not just sheer emotions

Stay professional and communicate clearly, that is the only way they'll listen to you. If this doesn't work, plank the CIO's desk and then go right into a batman on his credenza.

Thanks everyone for the responses. I should have been a bit more clear. I will not be performing the pentest - I am in charge of the app security functions (static source code analysis, vuln scans). Granted, I was a little frustrated when I threw this up yesterday so I'll be more precise. The client is looking to contract out a 3rd party pentester. We don't do this, we have our own. As with most management, I've been brought into the process late, and am now trying to tell them I know waaay too much about some of our coding issues to sign up for this. It's not the pentest I'm worried about, it's the expectation that findings (which will be tested by secondary pentest) will all be resolved in a 60 day window. I'm just looking if anyone has been in a similar situation and ultimately what some good options are.

I have to agree with a lot of what has been said here. It is tough to go before someone with the knowledge that you have. It seems that no matter how you approach it, the messenger gets shot. Are you certain that all the findings are high risk? Can some be explained as acceptable because of business practices? I have seen so many instances where things marked as high risk really are not, and the opposite as well.
Make sure that there is a valid solution for the risks and present that. The best advice is to have all your data in presentable format before you get called on the carpet.
There may have been mitigating circumstances to some of these findings and you need to look back and thouroughly search them out. Be sure not to blame others for the circumstances because that never looks good, but also, don't volunteer to fall on the sword. It is your career that you need to have in mind. Management does not always understand that your being honest is critical to what you do.

Be prepared that they will most likely not like what you say and that you need to be sure of yourself when facing them.

If there are as many findings as you claim, then sixty days is an impossible target unless they are willing to supplement the team with outside assistance.


Let us know how it turns out.

I understand your feelings. Try not to blame anybody, after all is the management's fault and you cannot blame them.
Through them the ball and let them play. Make sure you stay away.

This is one of those moments when you think is better to be a truck driver, you are responsible for your own faults only