October 3, 2011 at 5:03 pm #6873
I’m in a bit of a conundrum at work and have a question I’m just looking for ideas for. We have a large prospective client who wants to do a 3rd party pen test (on an agreed upon vendor) for two of our applications. Currently, we do vuln. scans and server/network scans on a scheduled basis so I have a good amount of info on the apps from those standpoints. Over the summer, I did an enterprise scale implementation of a static source code tool and have the results for all of the apps in question. One of the apps is fine, but the other is a complete f-ing disaster and has upward of 100 high risk (not severe like sql injections but null dereference, unreleased resources, race conditions, etc). The main issue is that the wording in the contract is that there is a hard timeframe they expect anything from the pentest to be corrected by, and it’s like NFW the developers can fix these issues on that quick of a requirement. Any thoughts from the community? Do I just throw myself in front of it and try to delay? Planking on the CIO’s desk?
October 3, 2011 at 5:15 pm #42464ziggy_567Participant
Forgive me for being blunt or ignorant if I’m missing something…
But as a penetration tester, your role is not to make those decisions. Your role is to find the vulnerabilities, try to exploit them, and report them. This is your role, so that the person paid to make the decisions has all the necessary information to make a well-informed decision that will benefit the company and its investors.
October 3, 2011 at 8:04 pm #42465
October 3, 2011 at 8:18 pm #42466cd1zzParticipant
I think he’s saying they are contracting out the pentest and they’re not doing it internally, right l33t?
If this is the case and you think there are issues with the contract, you just need to try and communicate your concerns. I don’t know your role in the company but try not to sound like you’re panicking or that that sky is falling. Use real data like, “remember when we had xyz problem and it took 6 months to fix? Well, we think there might be 100 of these vulnerabilities so the pentesting companies contract seems a little unrealistic.”
Management will hopefully make decisions on real data or projected data, not just sheer emotions 😉
Stay professional and communicate clearly, that is the only way they’ll listen to you. If this doesn’t work, plank the CIO’s desk and then go right into a batman on his credenza.
October 3, 2011 at 8:34 pm #42467hayabusaParticipant
I agree… I guess what I meant with the “++1” was more along the line of, if you have a job to do, whether as a contracted pentester or as an internal auditor, you still should report what you’re aware of, up the chain, to get it resolved. You still have a responsibility to communicate what you’re aware of, upstream, to try to protect your services / offerings, and your customers.
So ++1 to both.
October 4, 2011 at 1:48 pm #42468
Thanks everyone for the responses. I should have been a bit more clear. I will not be performing the pentest – I am in charge of the app security functions (static source code analysis, vuln scans). Granted, I was a little frustrated when I threw this up yesterday so I’ll be more precise. The client is looking to contract out a 3rd party pentester. We don’t do this, we have our own. As with most management, I’ve been brought into the process late, and am now trying to tell them I know waaay too much about some of our coding issues to sign up for this. It’s not the pentest I’m worried about, it’s the expectation that findings (which will be tested by secondary pentest) will all be resolved in a 60 day window. I’m just looking if anyone has been in a similar situation and ultimately what some good options are.
October 4, 2011 at 1:53 pm #42469cd1zzParticipant
That’s what I figured the situation was.
It’s ultimately a matter of time and resources. If the time window is small, they’re going to have to hire people to help you hit that deadline. If not, you’ll miss it.
If this is the case, refer to my previous post on communicating your concerns clearly to management. Just make sure you CYA so that it they cant say you didn’t speak up later.
October 4, 2011 at 2:40 pm #42470SolinusParticipant
I have to agree with a lot of what has been said here. It is tough to go before someone with the knowledge that you have. It seems that no matter how you approach it, the messenger gets shot. Are you certain that all the findings are high risk? Can some be explained as acceptable because of business practices? I have seen so many instances where things marked as high risk really are not, and the opposite as well.
Make sure that there is a valid solution for the risks and present that. The best advice is to have all your data in presentable format before you get called on the carpet.
There may have been mitigating circumstances to some of these findings and you need to look back and thouroughly search them out. Be sure not to blame others for the circumstances because that never looks good, but also, don’t volunteer to fall on the sword. It is your career that you need to have in mind. Management does not always understand that your being honest is critical to what you do.
Be prepared that they will most likely not like what you say and that you need to be sure of yourself when facing them.
If there are as many findings as you claim, then sixty days is an impossible target unless they are willing to supplement the team with outside assistance.
Let us know how it turns out.
October 4, 2011 at 2:51 pm #42471
Thanks again for the responses.
Yes, there are some issues marked as high risk can be explained away, I think I have a grasp on these talking points.
However, some of the issues (hard-coded pw … FTW!) and a few dashes of CSRF/XSS it’s like come on dudes we have way too much sec tools in place (and training) to be in these spots. Meeting is Thursday so messages going out then. If you don’t hear from me after, tell wife/kids I loved them.
October 4, 2011 at 7:20 pm #42472alucianParticipant
I understand your feelings. Try not to blame anybody, after all is the management’s fault and you cannot blame them.
Through them the ball and let them play. Make sure you stay away.
This is one of those moments when you think is better to be a truck driver, you are responsible for your own faults only 🙂
December 2, 2011 at 4:33 am #42473l33t5h@rkParticipant
This issue was finally resolved for anyone interested or not interested.
We ended up working w/ the client and mapped out a plan w/ similar objectives from our preferred pen test contractor and the client accepted this. The test completed today and surprisingly, no high or urgent vulnerabilities were found. I guess my paranoia probably got to me on this one, but at the end of the day, we found no issues, and this particular problem was what caused me to seek out advice from the crew at ethicalhacker.net and become a registered user. Thanks to everyone for commentary and input, it’s a wonderful site.
- You must be logged in to reply to this topic.