Educational Security Assessment project for Northern Virginia Community College students.

[Djiali <djiali () speakeasy net>]

Good morning list,
I'm a student enrolled in the Information Systems Security Certification 
program offered at Northern Virginia Community College. This 
certification is considered a specialization for students who already 
have a degree in a network related field and have completed the course 
load required for the InfoSec certification. The final course is an 
independent study supervised by the most senior InfoSec faculty member. 
The goal of this course is to offer students real world experience in 
conducting a security assessment on a real company. The whole course is 
structured to protect both the company and students from any 
harm...we've had to sign an ethics contract with the college, and we 
will have to enter into a contractual agreement with the company we 
would be working with.
As the team leader, I've decided to proceed using the OSSTMM methodology 
for Information Systems (we're not going to try any war dialing, site 
surveys, or try to enter the company's physical location). From our 
side, we're going to conduct the port scanning, enumeration, and web 
application testing on the live systems, but then take the "proof of 
findings" stage into our test lab where we'll replicate the company's 
production environment and attempt to exploit any holes we find. No harm 
will be done to your production systems.
Now for the dilemma part. As you can imagine, it's been a little hard 
for us to find someone to work with...companys would rather leave their 
holes undiscovered then have some students do identify them for free!! I 
can't say that I blame them entirely...I don't know what I would do if 
the tables were turned. This is why I'm turning to the list...I'm hoping 
that if we can discuss the project with security folks who understand 
what we're trying to do, we'd have better luck.
In any event, if you think that you might help out a group of students 
trying to break into the InfoSec world, please email me directly, I have 
some preliminary project plans, the course syllabus which outlines 
everything, and of course, the contact information for our professor if 
you wish to contact him for validation.
Thanks!!
Wade