Читать книгу Web Penetration Testing - Radhi Shatob - Страница 18

Before beginning a pen-test the penetration tester and the company should enter into a contract indicating exactly what the pen-tester will do and will not do. The range of IP addresses, subnets, computers, networks or devices that will be the subject of the pen-test.

The contract should indicate not only that the pen-testing is authorized by the customer, but also the customer has the legal authority to authorize the penetration test. This very important subject specially in Cloud based systems because if the customer authorize the pen-tester to perform pen-testing on a system or application that reside in the cloud, The customer does not have the legal authority over the Cloud system and he should obtain authorization from the Cloud Service Provider first. If the Cloud Service Provider is uninformed and did not authorized the test he might go after the pen-tester for un-authorize access.

None Disclosure Agreement (NDA) is a legal contract that outline confidential material, knowledge or information that the customer will share with Pen-tester but wishes to restrict access to or by third parties because Pen-tester will learn almost everything.