Re: Sample pent test agreement

[Pete Herzog <lists () isecom org>]

I recomend a contract that covers the following and is agreed and signed
by both parties:

Non-disclosure - to the level you are both comfortable with.  In some
cases, it may be important that they do not share the test report or
this contract itself outside of their own organization. Be sure to
include the requirement for confidentiality safeguard on both parties
(GPG for example) for limited liability.

Non-compete - if the organization is of the business or nature to
deconstruct and re-engineer your testing practice to

Limited liability - a good rule of thumb is to limit liability to the
cost of the engagement.  This includes everything from down time to
repairs.  I also recommend seperately signed pages each excusing you
from very limited liability (10% of cost of engagement) while conducting
Social Engineering (possible employee lawsuits) or Denial of Service
testing (with the clear indication that no bandwidth flooding from the
internet will be performed).

Responsibilities of the client - everything from scope info, e-mail
acounts, network access to the names of emergency contacts can be listed
here.  Ensure that the client knows that he/she is responsible for
contacting any and all related 3rd parties in the necessity of the test
(ISP, partners using the extranet, partners in general whose contractors
are on sight and may fall victim to attacks, S.E. etc.).  Do you want
the client to be clear on IDS/IPS or Honeynets so as not to waste your
time and client's money (see Time and scope limitations below for this)?

Responsibilities of the tester - everything from project delivery dates
(such as 3 weeks from start date), ip range where tests will come from,
scheduled weekly meetings, other contact reasons like when you find an
intruder, to emergency contacts.

Statement of Work - describe what you will do (somewhat generally is
fine but do include penetration depth, test perspectives, and similar)
and exact dates for deliveries in some cases.  It's also good to present
what expectations the client can have regarding the report and the info
it from full color 3D maps to video footage of physical entry).

And a tough one but sometimes required:
Time and Scope limitations liability - you are not liable for problems
which arise outside of the scope which was not defined or testing which
was not be conducted before the time limitation set in this contract
expired.  You may have to limit this exception to finalize after the
first 50% of the time defined in the contract has expired.  In simpler
terms, if you fail to announce a required change in scope or time OR the
client refuses to pay a fair and consistent rate for the inclusion of
this additional scope/time within the first 50% of the the time the
original contracted has expired, then you do have limited liability.

Since I did this off the top of my head, I may have left stuff out.  But
it's a good start along with some of the other things you've read in the
list so far.

-pete.

-- 
Pete Herzog - Managing Director - pete () isecom org 
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool 
Teacher certification authority. 




random wrote:

> I agree completely with Irene. But we do find that some of our larger
> customers want to negotiate this point. In that case it is a good idea to
> limit you liability to a specified dollar amount like $50K or so. We are
> also required to provide proof on insurance in many cases.
>
>
> -----Original Message-----
> From: Irene Abezgauz [mailto:irene.abezgauz () gmail com] 
> Sent: Sunday, June 26, 2005 5:28 PM
> To: 'Erin Carroll'
> Cc: pen-test () securityfocus com
> Subject: RE: Sample pent test agreement
>
> Hey, 
>
> Liability, liability, and once again, liability.
> You are not liable if they get hacked afterwards. You can't guarantee
> anything (zero day, blackbox, etc.)
> You are not liable for any damages. (but you could still theoretically
> get sued so I'd get good insurance coverage for that)
> Then, you need their well written and detailed consent to have you do
> things to their systems so nobody accuses you of breaking in.
> Another important issue is the scope of the test, so you don't agree on
> a fixed price which covers about 2 applications (or servers), and then
> get introduced to their mega server/application farm... or simply so
> there are no misunderstandings.
>
> These are the most important things, hope I didn't miss anything.
>
> Irene
>
>
>
>
> Irene Abezgauz
> Application Security Consultant
> Hacktics Ltd.
> Mobile: +972-54-6545405
> Web: www.hacktics.com
>
>
> -----Original Message-----
> From: Erin Carroll [mailto:amoeba () amoebazone com] 
> Sent: Sunday, June 26, 2005 6:37 PM
> To: 'evb'; pen-test () securityfocus com
> Subject: RE: Sample pent test agreement
>
> Everyone,
>
> Actually I'd like to expand upon Eric's question to the list a bit. What
> are
> some of the common terms/agreements pen-testers should include in their
> contracts and why? Examples of how such terms (or lack of) in writing
> have
> become issues during pen-testing would be interesting to hear.
>
> Erin Carroll
> "Do Not Taunt Happy-Fun Ball"
>
>
>
> -----Original Message-----
> From: evb [mailto:swiver () cox net] 
> Sent: Sunday, June 26, 2005 9:13 AM
> To: pen-test () securityfocus com
> Subject: RE: Sample pent test agreement
>
> Might anyone be kind enough to share with me a sample penetration
> testing
> agreement (written contract) to use with clients so that I need not
> reinvent
> the wheel?  Thank you so much.
>
> Eric
> tossing_salads () hotmail com
>
>
>
>
>