Pentes to third party asset

[Fernando Yong <yong.fernando () gmail com>]

Hello list

Any experience when pentest third party web app?

My customer needs to execute a pentest to the new acquisition (a web
app for inner management). But, this app doesn't belong to them, they
just have the software license.

According to its vendor, and as I can see, there is an email where the
vender has authorized to pentest this web app.

Ideally, you know, any pentester would prefer a formal letter between
the vendor and customers in order to legally protect yoursellf as a
pentester, but it is quite difficult in the real world. You just have
an "email".

Please, share experience or advice with me (legal and other repercutions)

Best regards,

fernando

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------