[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] security audit - how to avoid legal prosecution

From: DasPadre@xxxxxxx
Subject: Re: [WEB SECURITY] security audit - how to avoid legal prosecution
Date: Thu, 9 Jun 2005 21:48:00 EDT

-------------------------------1118368080
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

I would advise you to take the Auditing course offered by SANS.org.

You receive about 40 hours in lectures and almost 1 meter's height in 
reference material.

Anybody conducting any automated "Vulnerability Assessment" without a written 
"sanctioned" agreement/authorization is opening themselves up for some type 
of punitive action.  Whether it be internal (making yourself open to HR/Policy 
violations - and you or they should have a policy strictly prohibiting the 
"free-lance" Vulnerability assessment), or be it external and then you may have 
problems with local law, liable suits, etc.

I would also have the written agreement from at least a Director or V.P. 
level.  If the assessment goes south, the higher authority may be a little upset, 
but you would be in a protected zone.

Unannounced assessments are good and encouraged, but, they too should fall 
into some type of prearranged written agreement / policy and be conducted by 
personnel or consultants that are "vetted."  Meaning they are certified and 
unbiased.

So the bottom line is:  No Authorization - No Automated Assessments.

SIgned,

 - the Wannabe Security Guru

P.S.  I am not affiliated with SANS except as a InfoSec Student.

-------------------------------1118368080
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META charset=3DUS-ASCII http-equiv=3DContent-Type content=3D"text/html; cha=
rset=3DUS-ASCII">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR></HEAD>
<BODY style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial; BACKGROUND-COLOR: #fffff=
f">
<DIV>I would advise you to take the Auditing course offered by SANS.org.</DI=
V>
<DIV>&nbsp;</DIV>
<DIV>You receive about 40 hours in lectures and almost 1 meter's height in r=
eference material.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Anybody conducting any automated "Vulnerability Assessment" without a w=
ritten "sanctioned" agreement/authorization is opening themselves up for som=
e type of punitive action.&nbsp; Whether it be internal (making yourself ope=
n to HR/Policy violations - and you or they should have a policy strictly pr=
ohibiting the "free-lance" Vulnerability assessment), or be it external and=20=
then you may have problems with local law, liable suits, etc.</DIV>
<DIV>&nbsp;</DIV>
<DIV>I would also have the written agreement from at least a Director or V.P=
. level.&nbsp; If the assessment goes south, the higher authority may be a l=
ittle upset, but you would be in a protected zone.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Unannounced assessments are good and encouraged, but, they too should f=
all into some type of prearranged written agreement / policy and be conducte=
d by personnel or consultants that are "vetted."&nbsp; Meaning they are cert=
ified and unbiased.</DIV>
<DIV>&nbsp;</DIV>
<DIV>So the bottom line is:&nbsp; No Authorization - No Automated Assessment=
s.</DIV>
<DIV>&nbsp;</DIV>
<DIV>SIgned,</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;- the Wannabe Security Guru</DIV>
<DIV>&nbsp;</DIV>
<DIV>P.S.&nbsp; I am not affiliated with SANS except as a InfoSec Student.</=
DIV></BODY></HTML>

-------------------------------1118368080--

Prev by Date: RE: [WEB SECURITY] "Meanwhile, on the other side of the web server" - a writeup by Amit Klein
Next by Date: RE: [WEB SECURITY] about HTTP/1.0 and HTTP/1.1?
Previous by thread: RE: [WEB SECURITY] security audit - how to avoid legal prosecution
Next by thread: [WEB SECURITY] Strange HTTP requests
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site