Vulnerability scanning: White list pentester or not?

Question

If your company engages a third party pentester to do vulnerability scanning, do you

whitelist the pentester so that they can thoroughly scan the machines on the internet, or
do not whitelist them so that you have a better gauge of the effectiveness of your countermeasures?

It all depends of if you are doing a white-box, grey-box, or black-box test. — schroeder, Sep 14 '15 at 02:34
If you're scanning for PCI compliance, then you must whitelist the scanner, the standard mandates this. — paj28, Sep 14 '15 at 08:51

score 3 · Accepted Answer · answered Sep 14 '15 at 08:24

If you are getting your network assessed for the first time I would suggest giving the pentesters complete access.

You will get a report that is comprehensive which would include all the vulnerabilities that exists in your assets.

This will give you the complete understanding to plan upgrading the security of your network.

Moreover, during a pentest, the testers attempt a large number of attacks within a very short time. Please remember that in practice, an attacker might try these attacks slowly, over a longer period of time, and slip beneath the radar. To enable the testers to test efficiently, white-listing the testers is a essential.

score 1 · Answer 2 · answered Sep 14 '15 at 02:34

It depends on your real world threat model.

If you are afraid of the internal employees threat, then you should give the pentester great levels of access - perhaps even sysadmin or general network access.

If however, you're more afraid of Internet-borne threats, then a black box engagement would be more appropriate.

I personally like doing both - maybe alternate every year.

Vulnerability scanning: White list pentester or not?

2 Answers2