in reply to
Re^2: Pre-pen testing code review
in thread Pre-pen testing code review
No, honestly, I would let the software fail the pen-test if it is going to. If the pen-tester is competent, this will yield far more results than you ever expected to see, and only then will you be in the proper position to evaluate them all and to create an appropriate remediation plan.
The way that I encourage clients to look at this sort of thing is ... “Look, those defects are out there. The most important thing is to discover them, not to bemoan the fact that they exist. In any and in every piece of software, they do exist.” There is no room for ‘politics’ here, nor for pride. Discover them, fix them, prove they’re gone and that they stay gone.”
Budget for at least two pen-tests.