Home page logo

pen-test logo Penetration Testing mailing list archives

Re: rules of engagement scope
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Thu, 18 May 2006 20:47:14 -0300

Sorry, I still don't understand the point being made. Again, why is it bad
to define a scope for the pentest?

Michael Sierchio wrote:
Ivan Arce wrote:
Frankly I don't see what kind of logical reasoning leads from
defining the scope for a penetration test ex-ante to committing fraud,
maybe I need some rest to ponder about these things more seriously.

In some states in the US there is a cause for civil action
known as "fraud by exceeding the scope of consent".

The original author (Mr. Nasty) equated defining the scope of a penetration
test to committing (or attempting to commit) fraud on the basis that if you
define a precise scope then you are purposely leaving out things that may be
important to the general public (I am assuming that he intended to apply
that rational to  government,public service organization and public companies).

So you are talking about a different thing: Fraud (or is it phraud?)
committed by the penetration tester because she exceed the scope of what she
was allowed to do, whereas Mr. Nasty proposed that having a scope defined by
the organization subject to the test is somehow equivalent to fraud (if the
results of the test are not made public)

I submit that scope definition prior to a penetration test is a good thing
because it syncs both the tester and the testee on what is considered
important, valid, desired, etc., ant helps to plan resource allocation
accordingly and to understand and align expectations.

BTW you can still define the scope as: "Anything goes, no restrictions
whatsoever" but then you would be letting the penetration tester do whatever
she feels like doing and unless both parties have a good and long standing
relationship it becomes harder for both to assess the costs and the value of
the work.

As an individual consultant in this litigious society,
I want more than an affirmative defense, which may
bankrupt me even if I am found not at fault.

Ever heard the term "professional liability insurance" ?


"Buy the ticket, take the ride" -HST

Ivan Arce


PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]