[Owasp-leaders] Legality of dynamic scanning

Paolo Perego thesp0nge at owasp.org
Fri Nov 4 04:44:37 EDT 2011

Never heard about this one.
My experience is that if I buy a commercial webapp, any wapt activity
is completely legal if the scope is within my own servers. (testing
some cloud based functionality can lead to a possible illegal scan).

Different is the case of code review or bytecode analysis involving
reverse engineering the compiled app.

My €0.02


On Fri, Nov 4, 2011 at 1:10 AM, Christian Heinrich
<christian.heinrich at owasp.org> wrote:
> Keith,
> On Fri, Nov 4, 2011 at 6:19 AM, Keith Turpin <keith.turpin at owasp.org> wrote:
>> Has anyone heard of anyone implementing a policy that would require the
>> software vendor's authorization to due this type of testing?
> Depends on the software license, i.e. "reverse engineering" is
> prohibited, but a vendor may be willing to release this information
> under NDA?
> It is easier to negotiate this during procurement e.g.
> http://www.sans.org/appseccontract/
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby

More information about the OWASP-Leaders mailing list