undefined | Better HN

0 pointsrandomdata2y ago0 comments

> It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.

How so? Presumably most pen testers are working in good faith. But, if there is a malicious actor in their midst, that individual would not disclose any vulnerabilities they intend to exploit, no. What would be the point? That's just a really good way to get caught.

> Then you talk about "discovered and revealed vulnerabilities".

Yes, that's right. While it is theoretically possible for all your pen testers to be working together maliciously, if you are careful in your employment practices you can make this highly unlikely.

As such, if your data shows that 100% of all known vulnerabilities were independently discovered by multiple testers, then there is reasonable confidence that any malicious actor's failure to disclose a vulnerability will still be reported by someone else.

But if that figure is less than 100%, and especially if it is considerably less than 100%, then there is much more doubt cast on another pen tester in your organization's ability to find the same vulnerability. Here you have a problem.

0 comments

x0x02y ago

The app and api are on the internet anyway, so you don't need to be a pentester to test it w/ no intention of reporting.

randomdataOP2y ago

You don't need to be, but there are some big advantages:

1. You get to test the flaws in an environment where nobody will raise an eyebrow. If you go straight for the production system, it is likely your early attempts will visibly show up in the logs.

2. You get paid to carry out malicious deeds. That's a double win.

It would be kind of silly not to.

x0x02y ago

I think it would be silly to do so. You're pulling down $20k+ contracts for a week's work. It's a pretty good gig and completely legal.

1 more reply

j / k navigate · click thread line to collapse

0 pointsrandomdata2y ago0 comments

> It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.

> Then you talk about "discovered and revealed vulnerabilities".

Yes, that's right. While it is theoretically possible for all your pen testers to be working together maliciously, if you are careful in your employment practices you can make this highly unlikely.

0 comments

x0x02y ago

The app and api are on the internet anyway, so you don't need to be a pentester to test it w/ no intention of reporting.

randomdataOP2y ago

You don't need to be, but there are some big advantages:

1. You get to test the flaws in an environment where nobody will raise an eyebrow. If you go straight for the production system, it is likely your early attempts will visibly show up in the logs.

2. You get paid to carry out malicious deeds. That's a double win.

It would be kind of silly not to.

x0x02y ago

I think it would be silly to do so. You're pulling down $20k+ contracts for a week's work. It's a pretty good gig and completely legal.

1 more reply

j / k navigate · click thread line to collapse