From: Sol Invictus (sol@haveyoubeentested.org)
Date: Mon Oct 02 2006 - 19:15:52 EDT
I want to document the pentest process in detail, not only for the
> customer, but for later reviews and to avoid legal difficulties.
>
If I knew you were keeping pentest info on my company I wouldn't hire
you. Keeping that data around makes you a target for all your
customers.
But in answer of your real question about how to track everything. You
can use Wireshark right next to your attack machine and "record"
everything that happens between you and the client. All of that data
can then be burnt to a CD along with an MD5 hash of the entire CD that
you can keep on file. The CD or multiple CD's would then be given to the
customer and all data on your systems purged at the end of the project.
Then you put it in your contract that if litigation ever takes place,
the CD or CD's must be subpoenaed and the MD5 verified with the code you
have on file. That way it's the customer's responsiblity to secure it
and if the MD5 ever changes, then they've modified the CD and that
throws out their entire case.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:04 EDT