current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 15 down vote favorite
4

Specifically considering client websites where we have been asked to execute a pen test; at what point do we stop and say we're done?

We have access to various tools (some automated, some manual); but if we say "we tried all our tools, and couldn't make any progress", that could be construed as us saying that we're not clever enough (and there's always some hacker out there who could be cleverer).

So; how do we protect ourselves against upset clients who claim that we didn't work with due diligence? Is there a standard report framework we can work within?

share|improve this question
6  
Short answer: you specify the scope and expected output in the initial contract for services – schroeder 12 hours ago
up vote 15 down vote

So this is actually a very interesting question for the industry in general. The way I would suggest you handle it is

  • Have something in your contract that disclaims liability for vulnerabilities not noted during testing. Reason for this is, it's basically impossible to be sure that you've found every exploitable issue in a website, or any other system. To pick one example, think of all the sites that were sitting vulnerable to shellshock for years and years, should all the pen test companies who touched one of those sites be liable for not telling their customers?

  • Have a methodology, saying what you will do. This should cover the general areas of testing that will be completed. For websites, consider basing on something like the OWASP Top 10 as a starting point. This gives you some common ground with the customer on what you'll be looking at.

  • Make sure your company covers the basics with a checklist. as @rapli says above document all the little things, but don't overblow the severity. Whilst it's important to make sure your test isn't just a checklist, using one can avoid embarassing mistakes where basic tests get missed.

The problem you might/will run into is unrealistic expectations from customers. that one is a case by case to address. If you get a customer that expects that their complex application will be completely reviewed in like 5 person-days of testing, well you should explain why that's not a practical concept :)

share|improve this answer
    
You should disclaim liability for any vulnerabilities, period. Even if you noted an issue, there is no guarantee that your client will fix it. – DepressedDaniel 4 hours ago
up vote 1 down vote

Specify in contract which security aspects you investigate and only take responsibility for those. You wont always find vulnerabilities. But I guarantee you will find few minor things, and I suggest you to include every little detail you can in the report, missing HSTS in headers, weak ciphers, etc. So they see that you did something.

There are some reporting tools I know of, but they are either not publicly available or paid products.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.