I would call what they are attempting to do an audit. This is not a pen-test of any sort. Now if they were going to pen-test leave the IPS up. There are ways to get around an IPS with out having someone add your IP to an exclusion list. If I were you I would suggest to the powers that be to find a different company. Try a company like ISS, Offensive Security, Rapid 7, Digital Defense. Out side of that these are the questions that should have been asked.

How long has your company been in business?
How many pentests has your company performed?
What is your companyâ??s pentesting process?
Does your testing team have certifications?
Which pentesting tools does your company use?
What safeguards are in place to ensure that critical systems are not affected during the pentest?
In the event that a secondary or remediation scan is needed, will there be an additional fee?

Hope this helps.

Thank You,
Reginald Wheeler A+ Networking+ MCSE 2003

----- Original Message -----
From: "Kid Tangerine" <kidtangerine (at) gmail (dot) com [email concealed]>
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: Monday, August 6, 2012 9:57:24 AM
Subject: Disabling IPS for PENTEST

All,

Corporate has requested we get a PENTEST for our Internet facing
website from a third party, but the third party asked us to allow
their ip address to be excluded from our IPS.

Is that a common practice to basically turn off our protection and
allow them in?

Obviously we aren't developers, so If the code has sql injections,
cross site scripting, etc vulnerabilities we cannot fix it within the
corporate guidelines, and our only leverage from the IT infrastructure
side is to include the needed filters in the IPS to prevent their
crappy code from being exploited. It we turn off the IPS I am sure all
kinds of things will show up.

Any experience appreciated.

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]