HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 63 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow Career Centralarrow My first offical pentest - Writing contract
EH-Net
May 26, 2012, 02:44:34 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: My first offical pentest - Writing contract  (Read 2879 times)
0 Members and 1 Guest are viewing this topic.
pwned
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: March 08, 2011, 11:39:56 AM »
I'm about to do my first offical pentest in 2 days and is working on a contract that gives me permissions to do the test and so on.

But since I havn't worked by contract before I would like a nudge in the right direction when it comes to the contracting-part.

Bottomline on the test:
A company that offers hosting and webdesign is in the need of a pentest on their webplatform which include sites designed and coded by them that is hosted on their server.

So basically I will do a "full" pentest, excluding password-attacks and DoS-attacks.

The only thing I get down in the contract so far is:
- The company permits me, under a period of time, conduct the pentest.
- All information and results are confidential.
- As a result of the test, a presentation with the admin which include fixes.
- The test will be conducted within the companies network.

I know that I'm missing ALOT but I would really need someone to nudge me in the right direction.
Logged
hell_razor
Jr. Member
**
Offline Offline

Posts: 83


View Profile
« Reply #1 on: March 08, 2011, 12:08:52 PM »
You should probably try to include an indemnity clause for any downtime, damage to their systems, etc., as part of the permission section.  They may decline it (all contracts are negotiable and should be treated by both parties as such), but try.
Logged
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
Equix3n-
Sr. Member
****
Offline Offline

Posts: 379



View Profile
« Reply #2 on: March 08, 2011, 10:25:11 PM »
Perhaps this might help you
http://www.pentest-standard.org/index.php/Pre-engagement
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 650


aka dynamik


View Profile WWW
« Reply #3 on: March 11, 2011, 07:03:11 PM »
I'd be terrified to do a pen test with a contract I wrote. I hope this went / is going well for you. You should seriously have a lawyer who is familiar with these types of services write the contracts for you. Have you purchased insurance?
Logged
WIP: OSCP | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.192 seconds with 23 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.