From: Ivan Arce (ivan.arce@coresecurity.com)
Date: Thu May 18 2006 - 19:47:14 EDT
Sorry, I still don't understand the point being made. Again, why is it bad
to define a scope for the pentest?
Michael Sierchio wrote:
> Ivan Arce wrote:
>> Frankly I don't see what kind of logical reasoning leads from
>> defining the scope for a penetration test ex-ante to committing fraud,
>> maybe I need some rest to ponder about these things more seriously.
>
> In some states in the US there is a cause for civil action
> known as "fraud by exceeding the scope of consent".
The original author (Mr. Nasty) equated defining the scope of a penetration
test to committing (or attempting to commit) fraud on the basis that if you
define a precise scope then you are purposely leaving out things that may be
important to the general public (I am assuming that he intended to apply
that rational to government,public service organization and public companies).
So you are talking about a different thing: Fraud (or is it phraud?)
committed by the penetration tester because she exceed the scope of what she
was allowed to do, whereas Mr. Nasty proposed that having a scope defined by
the organization subject to the test is somehow equivalent to fraud (if the
results of the test are not made public)
I submit that scope definition prior to a penetration test is a good thing
because it syncs both the tester and the testee on what is considered
important, valid, desired, etc., ant helps to plan resource allocation
accordingly and to understand and align expectations.
BTW you can still define the scope as: "Anything goes, no restrictions
whatsoever" but then you would be letting the penetration tester do whatever
she feels like doing and unless both parties have a good and long standing
relationship it becomes harder for both to assess the costs and the value of
the work.
>
> As an individual consultant in this litigious society,
> I want more than an affirmative defense, which may
> bankrupt me even if I am found not at fault.
Ever heard the term "professional liability insurance" ?
Sincerely,
-ivan
--- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:59 EDT