[Owasp-leaders] Legality of dynamic scanning
thesp0nge at owasp.org
Fri Nov 4 04:44:37 EDT 2011
Never heard about this one.
My experience is that if I buy a commercial webapp, any wapt activity
is completely legal if the scope is within my own servers. (testing
some cloud based functionality can lead to a possible illegal scan).
Different is the case of code review or bytecode analysis involving
reverse engineering the compiled app.
On Fri, Nov 4, 2011 at 1:10 AM, Christian Heinrich
<christian.heinrich at owasp.org> wrote:
> On Fri, Nov 4, 2011 at 6:19 AM, Keith Turpin <keith.turpin at owasp.org> wrote:
>> Has anyone heard of anyone implementing a policy that would require the
>> software vendor's authorization to due this type of testing?
> Depends on the software license, i.e. "reverse engineering" is
> prohibited, but a vendor may be willing to release this information
> under NDA?
> It is easier to negotiate this during procurement e.g.
> Christian Heinrich
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
"... static analysis is fun, again!"
OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby
More information about the OWASP-Leaders