[WEB SECURITY] security audit - how to avoid legal prosecution

DasPadre at aol.com DasPadre at aol.com
Thu Jun 9 21:48:00 EDT 2005

I would advise you to take the Auditing course offered by SANS.org.

You receive about 40 hours in lectures and almost 1 meter's height in 
reference material.

Anybody conducting any automated "Vulnerability Assessment" without a written 
"sanctioned" agreement/authorization is opening themselves up for some type 
of punitive action.  Whether it be internal (making yourself open to HR/Policy 
violations - and you or they should have a policy strictly prohibiting the 
"free-lance" Vulnerability assessment), or be it external and then you may have 
problems with local law, liable suits, etc.

I would also have the written agreement from at least a Director or V.P. 
level.  If the assessment goes south, the higher authority may be a little upset, 
but you would be in a protected zone.

Unannounced assessments are good and encouraged, but, they too should fall 
into some type of prearranged written agreement / policy and be conducted by 
personnel or consultants that are "vetted."  Meaning they are certified and 

So the bottom line is:  No Authorization - No Automated Assessments.


 - the Wannabe Security Guru

P.S.  I am not affiliated with SANS except as a InfoSec Student.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050609/fb6a502b/attachment.html>

More information about the websecurity mailing list