From: Pete Herzog (lists@isecom.org)
Date: Tue Feb 04 2003 - 10:06:06 EST
Hi,
I just posted the sec-testing starter kit which is actually from the OSSTMM
Professional Security Tester course and covers briefly the rules of
engagement- what testers need to think about and do in testing. It includes
what needs to be covered in an OSSTMM certified test. It's an overview. I
also posted just the templates from the OSSTMM 2.0. That might help you.
One of them is the Asessment template which basically helps you outline
exactly what your going to test and why you made the cost estimate you did.
You can find them both here:
www.isecom.org/guides/templates.pdf
www.isecom.org/guides/starter-kit.pdf
Sincerely,
-pete.
-----Original Message-----
From: Martin Wasson [mailto:martin_wasson@mastercard.com]
Sent: Monday, February 03, 2003 8:40 PM
To: Ryan
Cc: pen-test@securityfocus.com
Subject: Re: Proposal?
Ryan,
Here are some items you may wish to include. It's off the top of my head,
so they're not in any particular order. But you'll want your doc to flow
nicely, so arrange them as logically as you can. That's all I can think of
at the moment. Use whatever ones you like :
scan request submitted by:
the requester/submitter's department:
an emergency contact including email/pager/cell # if the scan causes
problems/outages: (you)
outline the specifics of the scan:
who owns the box you'll be scanning:
has the box/data owner been notified, and do they need to approve the scan:
how you will back-out if the scan goes awry:
will an outage need to be scheduled for the scan:
what are the possible external customer impacts of the scan:
what are the possible internal customer ( your co-workers) impacts of the
scan:
what is the reason for the scan:
what hardware platform is the scan being done from:
what hardware platform is being scanned:
what tools you will be using to perform the scan:
a description of each tools' purpose:
what is the risk severity of the scan: (will you be employing D.O.S.
techniques, as nessus or iss internet scanner might do)
when you will begin:
when you will end:
who has approved the scan:
what individuals/departments have been notified of the scan:
Marty Wasson
"Ryan"
<ryan@packetwatch To:
<pen-test@securityfocus.com>
.net> cc: (bcc: Martin
Wasson/STL/MASTERCARD)
Subject: Proposal?
02/02/03 11:03 AM
Hi,
I am going about doing my first pen-test, and I'm at the point of
writing my proposal with specific details, like the machine's IP address
and host name, the time of day I will be working, and what I'd like to
do. I will be performing a pen-test on one specific server. I was
wondering if anyone could give me a guideline (format) of how to do
this. I was told by them that they are looking for a 1-2 page writeup.
Thanks.
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT