blacklight makes many good points.

As a former pen-tester of five years (I work as in-house coporate security now) I agree with many of blacklights statements.

I also have to make a statement of whomever in the security industry did not see these scenarios coming three years ago (or even as much as four) when companies started trying out lawsuits against security researchers, has to have been completely blind deaf and dumb.

The key here is if you stay in the security world you have to be a lawyer or know a good one and ensure that you CYA so tightly that you are the teflon man. If you are lucky some company that you just recommended to their board of directors that they spend several million to fix security problems in their company doesn't find a way to sue you for pointing this information out. It is cheaper for those companies to take that tack in the short term then do the right thing in the long term. It's called a cost benefit analysis.

Suits like this can have a chilling effect on those pen-testers who are technical wizards without the social, policitical, or legal knowledge to use teflon-like methods of CYA. Unfortunately I think the era of technical wizardry as a sole method of pen-testing is over and it would benefit the technical wizards to pair up with a legal and social wizard as well to ensure they are completely covered in all aspects.

IT as a whole can not afford to lose the expertise is out there due to the short sided idiots who typically adorn boardrooms, or to FUD-mongers that state that this is a 'death-knoll' to the pen-testing field. It may mean a few changes will be needed, and a few lawyers (I know a very ugly word) may need to be involved to help the pen-testers CYA to ensure we still have their knowledge to improve the security of the industry.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20496#20496