Hi guys...
Just a few words to allow me to semi rant, because im secretly someone who wishes he had a blog and emails like this are better cause you guys are a semi-captive audience..
Recently i heard a few questions similar to "Isnt that too much for what they (the customer) are paying for?" or "Where do we draw the line?" etc.. They are reasonable questions and i thought i'd give my 0.000002c on it officially..
i have 2 general guidelines that cover most situations :
[a] We stop when we stop adding value.. {if u can prove the point by hacking 2 boxes you dont have to hack 200} [b] We stop when we have earned the customers trust/respect/ears
[b] is slightly tricksy.. it means using ur judgement a little more than [a] does.. It is generally what makes us perform a social that involves Telkom, fake creds, and even possibly fake router boxes on a standard "3rd party router configuration assessment" because we _needed_ to go in hard..
The difference between us and a XXXXXX / YYYYYYY / insert_name_here is not that we are smarter than them (cause they had/have some wicked smart ppl) but that we almost always want to give more value.. and its what has made SensePost the name that it is.. It occured to me today while discussing what we do on a firewall rulebase assessment that what we do.. is what it takes to make the point / id and fix problems..
to labour the fw point, its howcome "rule-base assessments" in the past have included us going onsite to compromise the fw-admins machine, going to a 3rd party to compromise a shared host and going on-site to see if we could social access to the Rule-base when we knew the fw-admin was on vac..
Im not saying we need to be dramatic.. those cases all happened because we felt the customer had administrative problems, and we felt they needed to see the repercussions to believe it.. What i _do_ want to stress though is the thinking.. We dont aim to finish the report so that it looks like the last report someone did, we aim to do whatever we need to do to make the point we most think the customer needs to grok...
Thats why we get the big bucks.. cause we make clear what they need to grok...
With that line in mind (by the way), im introducing a new negative point for report QA'ing which im calling a "lazy point" deduction.. This refers to those times when we provide the customer with data, expecting them to do the analysis. _We_ do the analysis.. thats why we get... ;>
Breaking into companies is fun, but you will find the novelty wears off, and you stop feeling cleverer than devs the first time you have to dev something, but what makes our profession leet, is the ability to make a difference.. Yesterday peoples private medical records could have been all over the web.. today they r not because George did a leet web-app test on XXXX , or because rob had them restore sanity to their rule-base.. its a lot of power and should leave you with a warm fuzzy feeling long after the dust settles..
Conversely.. if u broke them "stukkend", and showed you know 10*(what their devs know) and called them idiots.. but have not really made them get it / better for the experience.. you might as well not have done the work at all...
so.. when is it done? when we have done what we think its going to take to make them get it..
/mh
