RE: Pen testing a off-site web server

["Spencer, Ed M. -ND" <Ed.M.Spencer.-ND () disney com>]

The only way to stop this sort of thing that I've seen is through the use of
limited disclosure requirements in the contracts.  This is done by
explicitly stating who may see and/or use the report (or any part of the
report) in the organization or outside of it.  I've seen this information
included in nearly all contracts from larger organizations performing audits
(E&Y, TruSecure, others).  This at least provides a deterrent to spreading
your work around without compensation.  Be careful with this though, you
have to overcome the 'work for hire' limitations in many states.

I'm no lawyer, but this at least seems to point out the problem to the
client and hopefully they understand the reasons for the limits and will
accept them.

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World
 
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law.  Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited.  If you have received this communication in error,
please immediately notify us by calling (407) 566-5195.  The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation.  Thank you.


-----Original Message-----
From: Mike Forrester [mailto:mikef () pocketlint com]
Sent: Wednesday, May 30, 2001 2:35 PM
To: pen-test () securityfocus com
Subject: RE: Pen testing a off-site web server


Another thing that might need to be discussed during the approval process is
the disclosure of the results of the test to the web-hosting company.
Someone is paying you to audit their services, but does the hosting company
get this information for free?  I did an audit of a web-based content
delivery service that one of our departments wanted to use.  They sent us an
eval server and I broke into it fairly easy (RDS bug :) ).  I wrote a
detailed document for internal use stating all the security problems with
their server.  One of the managers of the project just emailed the entire
doc to the company that provided the eval server.  Basically, they got a
nice detailed security audit for free.  The problem is how do you have them
fix all the bugs or justify to management that the security of the product
or service sucks without providing free security consulting to all of your
vendors?  You are providing security awareness and potential increasing the
company's security, but should you be doing it for free?  We haven't really
come up with a solution to the dilemma.  How have others addressed this?

Mike