Penetration Testing Agreements

Pen testing is a valuable way to determine how resistant an organization`s digital infrastructure is to attack from outsiders. What could be better to check the security of a network than to give frightening and intelligent people permission to hack it? Ed likes to share the different challenges of professional penetration. Here at BHIS, we had a few cases where we had to move away from contracts because the lawyers were too involved in some of our contracts. So just a little background, before plunging into the follies in various ways of legal power. While we teach in 560 without security, there are four documents that form a solid basis for a penetration test. First, the proposal itself. Second, it is the magnitude. The Scope explains what is being tested, what should not be tested, and which systems/users/services should be treated with special care and love. The rules of engagement define how you should test. This document discusses contact points, schedules and notification trees for critical results. The last, the “Authorization to Test” document, will be processed in an instant.

I`m glad you asked. First, it remains within the scope. Second, test your exploits on a lab system before launching an attack. And third, recording the fact that you tested your attack. Companies seeking a security audit involving a penetration test and those responsible for carrying out the test should be aware of the legal minefield in which they will enter. Why would a lawyer want to take out a compensation clause? Because they do their job. Their mission is to protect their customers. And having a contract in which a company does potentially harmful things is totally indyible in the way things normally work. It will take time and effort on your side to train them in what you are doing. That doesn`t mean you should be condescending and talk to them. This means that you should do your best to leave the lawyer, and sometimes the client knows what a penetration test is. Another point that should be clarified in this section is the allocation of resources.

To be concrete, both parties should agree on how test materials/equipment are preserved and paid for. Similarly, the Treaty should take stock of what to do when resources are not fully utilized. For the best result, client and Pentester should divide the project into steps, then set a schedule for each. This make it easy to set reasonable deadlines for each stage of the project. A typical delay for a penetration test is 4 to 6 weeks, divided as follows: delay – Although this seems to be a small detail, it is important to set a precise schedule for penetration tests. The second clause should explain the obligations of each party, that is, the company that does the security test and the customer.