Jump to content
Sign in to follow this  
danny

Legal PenTesting

Recommended Posts

danny

Hello Everyone,

 

I have few legal (most important) questions on pentesting:-

 

- For a client company who wants to conduct Pentesting, who is the authorized person to sign the Rules of Engagement agreement?

Owner of the company | CEO | CSO | Director of Tech | CTO

 

- If the server to be tested is hosted by a third party provider, who in the third party provider is authorized to provide consent?

 

- Does the provider too have to sign the RoE agreement?

 

- What is the best way of sharing a report to a client/customer?

PDF in compressed format with password protected  OR  Web site with 2FA  with multiple user logins for report sharing (not sure if there is a tool for this)

 

Third party provider might need a separate report if there are finding which involves the provider.

 

 

Cheers

  • Like 1

Share this post


Link to post
GiRa

- For a client company who wants to conduct Pentesting, who is the authorized person to sign the Rules of Engagement agreement?

Owner of the company | CEO | CSO | Director of Tech | CTO

 

It really depends on the client company internal workings.

It could be the purchase department, the CISO, the CTO, someone in the middle management or even the CEO.

The RoE should clearly state that the person who is signing it represents the client company.

 

- If the server to be tested is hosted by a third party provider, who in the third party provider is authorized to provide consent?

- Does the provider too have to sign the RoE agreement?

This is similar to the previous question. Plus this depends on the agreement between your client and the service provider.

In any case the provider should know when and from wich IP address pool you are running your tests.

 

- What is the best way of sharing a report to a client/customer?

PDF in compressed format with password protected  OR  Web site with 2FA  with multiple user logins for report sharing (not sure if there is a tool for this)

https://justcrypt.it

Or via other means, some companies think that a printer report sent via paper mail is secure :)

 

Third party provider might need a separate report if there are finding which involves the provider.

You should not the the provider network or infrastructure. This is a very delicate aspect. If your client is sharing resources with others, you could need a lawyer to review the RoE.

Share this post


Link to post
danny

Hi Gira,

 

 

Even if RoE mentions someone (CEO|...) representing the company, wouldn't someone (owner|CEO) have to authorize the person that he represents the company?

 

Can I safely assume that owner|CEO|CSO|CISO|CTO are the ones who are definitely authorized?

 

 

Talking about RoE, what is the best form for signing document?

- Digital signatures 

- App like Docu sign

- Traditional paper, sign and seal

 

 

Is there a chance someone has a reference to a good (starting point) document for RoE? 

 

http://www.pentest-standard.org/index.php/Main_Page is a good one that I have come across.

 

 

 

Cheers,

Danny

Share this post


Link to post
GiRa

Even if RoE mentions someone (CEO|...) representing the company, wouldn't someone (owner|CEO) have to authorize the person that he represents the company?

Of course. But this is internal workings. The RoE are a contract between the penetration tester and the client/

For example: do you think that a CEO has to personally autorize every contract for office paper supply? Delegation is the key :)

 

Can I safely assume that owner|CEO|CSO|CISO|CTO are the ones who are definitely authorized?

Again, it depends.

 

Talking about RoE, what is the best form for signing document?

- Digital signatures 

- App like Docu sign

- Traditional paper, sign and seal

This depends on your client and national laws.

Share this post


Link to post
danny

Hi Gira,

 

 

I get what you are saying. Just want to make sure the testing is done on safer side.

 

Thank you for your time.

 

Cheers!

Share this post


Link to post
GiRa

We are here to help :)

BTW: sometimes a lawyer is mandatory.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×