[Owasp-leaders] Legality of dynamic scanning

Keith Turpin keith.turpin at owasp.org
Thu Nov 3 15:19:31 EDT 2011

I have a question I would like to pose to the other advisory board members.

Has anyone faced external legal challenges or internal attorney guidance
related to dynamic scanning of internally deploy commercial off the shelf

As an example, a company purchases a piece of software, like a web based
document management system. They then configure it and install it on their
internal network. They then decide they want to scan that deployment with a
dynamic scanner like AppScan or Web Inspect. I am talking about interface
based dynamic testing only.

Has anyone heard of anyone implementing a policy that would require the
software vendor's authorization to due this type of testing?

I think the problem arises because people are rolling all types of testing
into one bucket and if you were talking about static analysis, especially
if you are attempting to decompile code, that gets into a much grayer area.

I would appreciate comments on this and also any legal precedence that
anyone is aware of.

Keith Turpin*
OWASP Project Leader
Secure Coding Practices - Quick Reference Guide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111103/729f3d3f/attachment-0001.html 

More information about the OWASP-Leaders mailing list