Penetration Testing mailing list archives
Re: pentest documentation
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Tue, 03 Oct 2006 07:54:09 +0200
Salut, On Mon, 2006-10-02 at 19:15 -0400, Sol Invictus wrote:
All of that data can then be burnt to a CD along with an MD5 hash of the entire CD that you can keep on file. The CD or multiple CD's would then be given to the customer and all data on your systems purged at the end of the project. Then you put it in your contract that if litigation ever takes place, the CD or CD's must be subpoenaed and the MD5 verified with the code you have on file. That way it's the customer's responsiblity to secure it and if the MD5 ever changes, then they've modified the CD and that throws out their entire case.
A more accepted way of doing it is probably to have both you and the customer digitally sign the material, whereas your signature should be held by the customer and vice versa. This way noone can create a new signature and claim that the material was changed, while in fact it wasn't (because both signatures attest that it is unchanged, and both signatures are in the hands of people who can't forge them). Tonnerre -- SyGroup GmbH Tonnerre Lombard Loesungen mit System Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: pentest documentation, (continued)
- Re: pentest documentation David Swafford (Oct 02)
- Re: pentest documentation Jürgen R. Plasser (Oct 02)
- Re: pentest documentation Andres Riancho (Oct 02)
- Re: pentest documentation IndianZ (Oct 02)
- Re: pentest documentation Jason Ross (Oct 02)
- Re: pentest documentation Jürgen R. Plasser (Oct 03)
- Re: pentest documentation Jürgen R. Plasser (Oct 02)
- Re: pentest documentation David Swafford (Oct 02)
- Re: pentest documentation Tonnerre Lombard (Oct 03)