RE: Pen testing a off-site web server

Additionally ask if any testing is part of the SLA between the provider and
client. If not recommend that the SLA include it when the contract is
renewed. I have had some ISP's refuse testing and others who only want it
conducted on-site at their facilities. Make sure you are flexible as to the
time you run the tests. Generally they will want them run during off hours.

Regards,

Jim Huddleston, CISSP
hudd3_at_ix.netcom.com

-----Original Message-----
From: batz [mailto:batsy_at_vapour.net]
Sent: Tuesday, May 22, 2001 5:22 AM
To: Franklin DeMatto
Cc: pen-test_at_securityfocus.com
Subject: Re: Pen testing a off-site web server

On Sun, 20 May 2001, Franklin DeMatto wrote:

:Anyone know how to handle the legal/bueracratic aspects of pen-testing a
web server which is not in-house, but property of a hosting company??
:
:Any real-world advice, forms, paperwork, or legal info. would be
appreciated.

Have your client inform their vendor that they require a third party of
their
choosing to evaluate the security of their own networks and digital assets.
The vendor may give some pushback, but you can give them assurances that
no interruption of service will occur, give them a 24/7 number to reach
the testing staff at, and make sure your client states that it is a part
of their security policy to require this testing on all internal, and vendor
supplied equipment. "Requirement" meaning, "in order to do business with".

I think the vendor should be accomodating.

--
batz
Reluctant Ninja
Defective Technologies