On 6/15/05, Dave <dave.anon@gmail.com> wrote:
response to a question I had. I had asked for the definition the
Department was adopting for penetration testing. The response I
received was (scrubbed for anonymity):
Well, IMHO, you got what you asked for, not what you expected. Their
definition of penetration testing is that there will be no penetration
testings, but scanning and password cracking (which is what many big
firms do, and I didn't expect the Government to be much different).
Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln
scans, AND performing penetration testing. Any industry guideline or
resource would never allow this "definition". Am I wrong? Am I over
reacting?
Unless you were specifically hired to do penetration testings, you
might just accept the fact that it's not a penetration testing what
you'd be doing there. Otherwise, you might just wanna slam the door on
your way out.
When I brought this up to my chain of command I was told "don't rock
the boat". They fully admitted that they knew the definition to be
incorrect in that it was not meeting the intent of the requirement,
but that I should not say anything to rock the boat and just accept
this.
Now, if there is a specific requirement that you do penetration
testings, and no definition is provided in the requirement, I'm afraid
the one encharged of making that definition is the one who rules.
Obviously, for ethical reasons, I am leaving the agency and the department.
Feedback? Thoughts?
-- Dave
IMHO, if you think you'll never be able to make the change inside
AgencyX so that "penetration testings" become *penetration testings*,
I understand your decision. Otherwise, you should try to make the
change from the inside (not just for you, but also for AgencyX).
Regards,
Kepler
