RE: Volunteer pen testing

From: Clement Dupuis (cdupuis_at_cccure.org)
Date: 12/15/04

  • Next message: Chris Buechler: "Re: pwdump 2 & 3" 
    To: "'Matt Bellizzi'" <matt.bellizzi@nokia.com>
Date: Wed, 15 Dec 2004 17:54:50 -0500

    Good day Matt,

    Do take a look at:

    http://www.professionalsecuritytesters.org/modules.php?name=Downloads&d_op=v
    iewdownload&cid=1

    You will find a sample agreement between a tester and a client.

    It can server as the basis for developing your own.

    Take care

    Clement
    http://www.professionalsecuritytesters.org
    The Professional Security Testers Warehouse

    -----Original Message-----
    From: Matt Bellizzi [mailto:matt.bellizzi@nokia.com]
    Sent: 15 décembre 2004 14:21
    Cc: pen-test@securityfocus.com
    Subject: Re: Volunteer pen testing

    Thanks for responding everyone. Well it looks like there are two camps
    here. The first group mostly objects to the liability to me. The
    second thinks it's a good idea. It looks like I should seek some legal
    advice. Luckily my company offers that as a benefit. Or I'm sure I
    could probably find a lawyer to do it pro-bono. Looks like I'll need
    a NDA for me, a letter of intent and a agree to hold harmless for my
    client. If someone out there has some boiler plate examples of these I
    would love to see em. A couple of other issues were also brought to my
    attention. Like What is the scope of the pen test? Also what happens
    after the pen-test? And finally who to call if I DOS something. Off
    the top of my head. The scope of the pen-test is Dependant on the
    client's network. The actions after the pentest depends on if they
    staff or not. As for crashing machines....I'm thinking that before even
    attempting to test I would have to meet with the whomever they have on
    staff and co-ordinate off times for testing and contact numbers. I
    would also not run actually dos exploits. This might not be
    considered a pen-test but, I still think it might be useful and/or fun.

  • Next message: Chris Buechler: "Re: pwdump 2 & 3"

    Relevant Pages

    • Re: Scanning through an IPS
      ... fact you're scanning a client who has an Intrusion Prevention System. ... Using the OSSTMM 3.0 terminology, prefer Reversals, Tandem, and ... Some like to see the IPS as a challenge. ... Finally, app pen-test each software, setting priorities and taking ...
      (Pen-Test)
    • RE: Mpack
      ... " I thought the whole idea I would be employed to conduct a Pen test ... client, their expectations of a pen-test should not only provide what ... ethicality of launching an attack from a tool, be it MPack, Metasploit ...
      (Pen-Test)
    • Re: Using 0days as part of pen-test?
      ... days later I was requested to do pen-test against a company. ... I got the issue of how to report this vulnerability to the ... To pretend one client is ... first client in remediation with the vendor is unfair to the second ...
      (Pen-Test)
    • RE: IIS Kerberos auth for non-domain client
      ... > A unix kdc for realm: ... > A client pc, TESTER, running winxp sp2. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Pen Test vs. Health Check
      ... Doing both of these actually in my mind highlights the various dangers to the client. ... Rigel Kent Security & Advisory Services Inc ... hacking not solving the underlying issue of an insecure network. ... course will make a security tester. ...
      (Pen-Test)