[WEB SECURITY] RE: [WEB security audit - how to avoid legal prosecution

Don_Tuer at hsbc.ca Don_Tuer at hsbc.ca
Wed Jun 8 12:43:42 EDT 2005


If you are a consultant performing pen tests you are best to get the
sponsor AND THEIR MANAGER to agree in writing...



|---------+---------------------------->
|         |                            |
|         |                            |
|         |                            |
|         |                            |
|         |   "Aiken, Dan"             |
|         |   <AikenD at HSS.EDU>         |
|         |   06/08/2005 11:03 AM      |
|         |                            |
|---------+---------------------------->
  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                              |
  |       To:       <webappsec at securityfocus.com>, <websecurity at webappsec.org>                                                   |
  |       cc:                                                                                                                    |
  |       Subject:  RE: [WEB SECURITY] security audit - how to avoid legal prosecution                                           |
  |                                                                                                                              |
  |      Our Ref:                                                                                                                |
  |           Your Ref:                                                                                                          |
  >------------------------------------------------------------------------------------------------------------------------------|




The difference between a hacker and a security consultant is PERMISSION!
Always, repeat ALWAYS, get permission IN WRITING before doing any active
penetration testing of any network. Respected figures in IT have lost
their jobs or been sent to prison for not getting written permission
before doing pen testing.

Dan Aiken, GSEC, GSNA
Corporate Compliance Director
Hospital for Special Surgery
535 East 70th Street
New York, NY  10021
(212) 774-2569
aikend at hss.edu
"In theory there is no difference between theory and practice. In
practice there is." Yogi Berra, quoted by Bruce Schneier in Secrets &
Lies, p.8.

The opinions expressed in this message are the author's own and not
necessarily those of Hospital for Special Surgery.


-----Original Message-----
From: Maxim Kostioukov [mailto:maxim at francoudi.com]
Sent: Wednesday, June 08, 2005 10:01 AM
To: webappsec at securityfocus.com; websecurity at webappsec.org
Subject: [WEB SECURITY] security audit - how to avoid legal prosecution


Would someone advise on how to approach in sense of legal agreements
BEFORE doing any security research?

For example, one is doing penetration tests on web apps without a
written agreement or even worse - without the other side to be aware of
the test, then informs the side about findings (not disclosure them
publicly).

Any chance for legal prosecution to be fired in case if the other side
just would like to do this? I think it is possible... Any advice?

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/




***************************************************************
This email may contain confidential information, and is intended only for
the named recipient and may be privileged.  Distribution or copying of this
email by anyone other than the named recipient is prohibited. If you are
not the named recipient, please notify us immediately and permanently
destroy this email and all copies of it.  Internet email is not private,
secure, or reliable.  No member of the HSBC Group is liable for any errors
or omissions in the content or transmission of this email. Any opinions
contained in this email are solely those of the author and, unless clearly
indicated otherwise in writing, are not endorsed by any member of the HSBC
Group.
***************************************************************
Ce courriel peut renfermer des renseignements confidentiels et
privilégiéset s'adresse au destinataire désigné seulement.   La
distribution ou la copie de ce courriel par toute personne autre que
ledestinataire désigné est interdite.  Si vous n'êtes pas le destinataire
désigné, veuillez nous en aviser immédiatementet détruire de façon
permanente ce courriel ainsi que toute copie de celui-ci. La transmission
de courriel par Internet ne constitue pas un mode de transmission
confidentiel, sécuritaire ou fiable.  Aucun membre du Groupe HSBC ne
seraresponsable des erreurs ou des omissions relatives au contenu ou à la
transmission de ce courriel.  L'auteur de ce courriel est seul responsable
des opinions émises dans ce courriel, lesquelles, à moins d'un avis
contraire fourni par écrit, ne sont pas endossées par aucun membre du
Groupe HSBC.
***************************************************************




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list