HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 64 guests and 1 member online
 
Advertisement

You are here: Home arrow Resourcesarrow Career Centralarrow My first offical pentest - Writing contract
EH-Net
May 22, 2013, 02:49:55 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: My first offical pentest - Writing contract  (Read 4255 times)
0 Members and 1 Guest are viewing this topic.
pwned
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: March 08, 2011, 11:39:56 AM »
I'm about to do my first offical pentest in 2 days and is working on a contract that gives me permissions to do the test and so on.

But since I havn't worked by contract before I would like a nudge in the right direction when it comes to the contracting-part.

Bottomline on the test:
A company that offers hosting and webdesign is in the need of a pentest on their webplatform which include sites designed and coded by them that is hosted on their server.

So basically I will do a "full" pentest, excluding password-attacks and DoS-attacks.

The only thing I get down in the contract so far is:
- The company permits me, under a period of time, conduct the pentest.
- All information and results are confidential.
- As a result of the test, a presentation with the admin which include fixes.
- The test will be conducted within the companies network.

I know that I'm missing ALOT but I would really need someone to nudge me in the right direction.
Logged
hell_razor
Jr. Member
**
Offline Offline

Posts: 90


View Profile
« Reply #1 on: March 08, 2011, 12:08:52 PM »
You should probably try to include an indemnity clause for any downtime, damage to their systems, etc., as part of the permission section.  They may decline it (all contracts are negotiable and should be treated by both parties as such), but try.
Logged
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
Equix3n-
Sr. Member
****
Offline Offline

Posts: 386



View Profile
« Reply #2 on: March 08, 2011, 10:25:11 PM »
Perhaps this might help you
http://www.pentest-standard.org/index.php/Pre-engagement
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #3 on: March 11, 2011, 07:03:11 PM »
I'd be terrified to do a pen test with a contract I wrote. I hope this went / is going well for you. You should seriously have a lawyer who is familiar with these types of services write the contracts for you. Have you purchased insurance?
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.081 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.