http://www.perlmonks.org?node_id=1082674


in reply to Re: Pre-pen testing code review
in thread Pre-pen testing code review

But having a competent, conscientious pre-test might avoid the downsides of failing the real thing. I can't guess if that's a consideration here; far less, whether it should be, but, IMO, it deserves consideration.

 


Check Ln42!

Replies are listed 'Best First'.
Re^3: Pre-pen testing code review
by sundialsvc4 (Abbot) on Apr 18, 2014 at 14:47 UTC

    No, honestly, I would let the software fail the pen-test if it is going to.   If the pen-tester is competent, this will yield far more results than you ever expected to see, and only then will you be in the proper position to evaluate them all and to create an appropriate remediation plan.

    The way that I encourage clients to look at this sort of thing is ... “Look, those defects are out there.   The most important thing is to discover them, not to bemoan the fact that they exist.   In any and in every piece of software, they do exist.”   There is no room for ‘politics’ here, nor for pride.   Discover them, fix them, prove they’re gone and that they stay gone.”

    Budget for at least two pen-tests.