Penetration Testing mailing list archives
Re: Pen Test--France and Belgium
From: Stefan <netfortius () gmail com>
Date: Tue, 8 Dec 2009 14:50:37 -0600
I would - personally - seek legal advice in the country/ies you are going to carry out the services. While such a mailing list is probably very good for technical issues, *I* think it should only be used to source, not rely upon legal matters. I have done and serviced IT issues globally, and I wouldn't feel comfortable about "walking" into a different country's legally bound systems analysis, (e.g. security/pen-testing) if not with the help of local legal experts ... in fact I even had to use my foreign language skills to double-check issues, sometimes. Stefan On 12/7/09, Michael Daveler <mdaveler () yahoo com> wrote:
Hi List: We are a USA security company and have been asked by our client to perform a two-phase project of the client's third-party vendors/suppliers located in France and Belgium. Phase one will be a vuln scan, and Phase two will be a penetration test. Both phases will have scans/pen tests originating across the Internet. We will be securing the appropriate contracts/agreements/etc. with client, client's third-party vendors, consent forms from third-party vendor's ISP's (to allow scans through their networks to third-party vendor, etc.). And most importantly, will have all contract/agreement work done by legal counsel well-versed in this type of work, and knowledgeable of laws in France and Belgium. In the interim, for the initial fact-finding, looking to see if anyone has put together any checklists, guidance documents or has feedback on things you should/should NOT do while doing scans/pen tests against entities in France and Belgium, what specific laws can be referenced/reviewed, etc. As an example, I have heard that if doing pen tests of entities in France, you need to follow their crypto laws; had to have lawyers approve the crypto algorithms used for setting up encrypted connections going to and from the country; and some other algorithms required registration with the government to use, etc. So any and all details are much appreciated. If appropriate, once I have collected all feedback, I can prepare a summary and post back to the list. Thanks in advance, --Mike ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Sent from my mobile device ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pen Test--France and Belgium Michael Daveler (Dec 08)
- Re: Pen Test--France and Belgium Stefan (Dec 08)
- Re: Pen Test--France and Belgium Koen Bossaert (Dec 15)