[0xDEFC0DE]

>Pentesters sometimes are leveraged as pawns in political games in organizations - seems similar with government.

How?

[gotodengo]

I've had clients tell me to hit certain known vulnerabilities specifically.

I can see a situation where the decision to stay or swap off a system is being debated. If one party can send in testers and call out some vulns that might play to their hand.

[tptacek]

There's kind of a difference between clients and stakeholders gaming a pentest or spinning its results and pentesters not being authorized to test their targets. Even with basic web pentesting, rules of engagement particularly around which targets you're authorized to test is a big deal. This is a hell of a SNAFU.

[gotodengo]

Absolutely agreed. Especially since, in spite of my disagreement with the handling of things, the sheriff may have a point in the authorization angle.

My initial comment pointed more generally to an example of politics within a company though.

[tptacek]

Like: a scenario that comes up all the time in ordinary web application testing: your authorized target interacts with a third-party API, for which you are not authorized to test. Pentesters generally get this right, because if you get it wrong, no matter what your client tells you, you're liable. (Indemnification may come into play here, but it won't matter criminally).