Penetration Testing mailing list archives
Re: pentest documentation
From: Sol Invictus <sol () haveyoubeentested org>
Date: Mon, 02 Oct 2006 19:15:52 -0400
I want to document the pentest process in detail, not only for the
customer, but for later reviews and to avoid legal difficulties.
If I knew you were keeping pentest info on my company I wouldn't hire you. Keeping that data around makes you a target for all your customers. But in answer of your real question about how to track everything. You can use Wireshark right next to your attack machine and "record" everything that happens between you and the client. All of that data can then be burnt to a CD along with an MD5 hash of the entire CD that you can keep on file. The CD or multiple CD's would then be given to the customer and all data on your systems purged at the end of the project. Then you put it in your contract that if litigation ever takes place, the CD or CD's must be subpoenaed and the MD5 verified with the code you have on file. That way it's the customer's responsiblity to secure it and if the MD5 ever changes, then they've modified the CD and that throws out their entire case. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- pentest documentation Jürgen R. Plasser (Oct 02)
- Re: pentest documentation David Swafford (Oct 02)
- Re: pentest documentation Jürgen R. Plasser (Oct 02)
- Re: pentest documentation Andres Riancho (Oct 02)
- Re: pentest documentation IndianZ (Oct 02)
- Re: pentest documentation Jason Ross (Oct 02)
- Re: pentest documentation Jürgen R. Plasser (Oct 03)
- Re: pentest documentation Jürgen R. Plasser (Oct 02)
- Re: pentest documentation David Swafford (Oct 02)
- Re: pentest documentation Tonnerre Lombard (Oct 03)
- <Possible follow-ups>
- Re: Re: pentest documentation krymson (Oct 02)
- Re: pentest documentation David Ball (Oct 03)
- RE: Re: pentest documentation William Woodhams (Oct 03)
- Re: pentest documentation Ben Anderson (Oct 03)