On Tue, 17 Aug 2004, Michel Arboi wrote:
1. As far as I know, on a civil point of vue, you are responsible if
you destroy something, unless you warned your customer of _all_
risks. You cannot just say "I am responsible for nothing, whatever
happens, please sign here". Such a contract is void.
This is at least the situation in France, and I suppose that this is
true in many other countries.
Well, you can always give the customer a copy of Nessus, let them run it
themselves and charge money for the interpretation of its output. :)
2. Suppose you have a banking application that transfers billions of
dollars every day. You don't want to break it, because every minute
costs. The easy solution is to avoid it (don't scan, don't even look
at it!) but on the way you prefer to find a flaw before the bad guys.
Maybe there is an identical test machine: you can play with it. Or
maybe not. Or maybe the test machine is the backup machine, and it
should remain available "just in case"...
Well...if you have a banking application transfering billions of dollars
every day, then every piece of the system must be triplicated (at least).
If you cannot take one of its redundant parts offline and expose it to a
potentially destructive test, then a person responsible for the design
of the system should be shot.
Either the system in question is a "mission critical" system, or it is
not. In the latter case, it does not really matter whether anything breaks
during the test. In the former case, they should be ready to handle a
wide spectrum of failures including typical problems caused by a Nessus
scan (i.e. software crashes or lock-ups). After all, computers (esp.
those running software from certain vendors I shall not name here) break
"spontaneously" every day.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
