Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.
> Lying is not an embellishment or puffery, it's a lie. Engaging a company for a 3 day pen test that's totally insufficient, that would be an embellishment.
I agree, but if the RFP question was phrased "have you done penetration testing?" then that leaves a lot of room for embellishment. If the question is "do you have SOC2 certification?" and you answer "yes" untruthfully, then that is a lie. If they ask for the SOC2 or pentest report and you give them a falsified document, that's where you're (probably) committing fraud.
> One of the most important part of pen tests is that they are external.
AWS/Google/etc have internal security teams doing their pen tests, so no, this isn't true.
> Just doing your job as an engineer and looking for bugs is not a pen test.
What about an engineer spending an afternoon running ZAP[0]?
> It's like saying, "what is an audit really? We have accountants and they check our books for anomalies."
Yeah, which is why you don't just ask a company "do you keep track of your finances?" if you're investing in them, you request external auditors.
I have literally worked alongside external pentesters for some of those organizations you allude to. I still remember their codenames.
They might have the scale to have internal pentesters nearly as isolated as external pentesters. A ten person startup definitely does not.
Regardless of what tools you use, an internal pen test isn't the same. Do internal accountants use different tools than KPMG? Probably not.
The RFP likely did contain more precise language.
I encourage you to reflect on your position. It's very odd to me that your attitude is, "if the customer didn't want to be lied to, they should've tied me down better, because I'm like a djinni who will twist your words against you if there's the slightest ambiguity." I understand the sentiment that RFPs and contracts need to be locked down. I don't understand the sentiment of, "they had it coming."
> Regardless of what tools you use, an internal pen test isn't the same
It isn’t the same as an “official” pen test for a 10 person company with non-specialists, sure. But the document, to our knowledge, didn’t ask if they had some specific form of pen test.
> because I'm like a djinni who will twist your words against you if there's the slightest ambiguity.
They aren’t twisting anything. If a quick and informal pen test meets their definition then they should be more specific.
> Just doing your job as an engineer and looking for bugs is not a pen test
A pen test’s goal is to find security bugs by posing as an attacker. There is no requirement that it is systemic, formally documented, performed by a “security expert,” or that it is done by any external party.
Those are all desirable _properties_ of a pen test that may be required for various certifications, but an engineer can absolutely conduct a quick and informal pen test at any time.
It doesn't matter if the client doesn't really care. That's just a rationalization, plain and simple. No different in kind from, "well the bank teller doesn't really care if I rob the bank because it's not their money, and the money is insured anyway, so is it really even robbery?" Only different in degree (to be fair, an enormous degree; just to illustrate).
A pen test is a real thing. "What is a pen test really?" is another rationalization. There may be many flavors of pen test, but fabrications are fabrications. One of the most important part of pen tests is that they are external. It's like saying, "what is an audit really? We have accountants and they check our books for anomalies." Just doing your job as an engineer and looking for bugs is not a pen test. In the same way that being careful and rereading your own changes is not a code review.
This reads up me like an engineer committed to their work. I think they should be proud of themselves for not going along with this. I think the problem is that management isn't doing their job properly. They're cutting corners because they fucked up and didn't make sure a pen test happened or listen to their technical people. This is a strategic necessity for the company that would have been so easy to accomplish and should have been foreseen. They're trying to rule by dictate and it could destroy their career if this ends up in court. Even now, they could get some kind of rush job done - but no, they choose to endanger the company and the people in it instead.
Imagine being a lawyer or a paralegal and getting your hands on those emails in discovery. They didn't only demand their engineer lie, they did it in writing. The engineer is not the problem here.