[Owasp-leaders] Legality of dynamic scanning

Eoin eoin.keary at owasp.org
Fri Nov 4 05:32:26 EDT 2011


Hey Keith,
I have encountered this a few times.
I try to get my clients to include a "right to audit" clause in any contract.
The static analysis / reverse engineering question  an be illegal in some countries as it may be viewed as an avenue to IP theft.
Permission may need to be sought to perform the testing even if there is a right to audit to help ensure your testing efforts have been tracked by the vendor.
I have developed COTS (commercial off the shelf) security policies before wherein the vendor must prove the solution complies with the purchasers sec policy and does not introduce any additional risk to the organisation among other things such as escrow etc.
-ek
 



 

On 3 Nov 2011, at 19:19, Keith Turpin <keith.turpin at owasp.org> wrote:

> I have a question I would like to pose to the other advisory board members.
> 
>  
> 
> Has anyone faced external legal challenges or internal attorney guidance related to dynamic scanning of internally deploy commercial off the shelf software.
> 
>  
> 
> As an example, a company purchases a piece of software, like a web based document management system. They then configure it and install it on their internal network. They then decide they want to scan that deployment with a dynamic scanner like AppScan or Web Inspect. I am talking about interface based dynamic testing only.
> 
>  
> 
> Has anyone heard of anyone implementing a policy that would require the software vendor's authorization to due this type of testing?
> 
>  
> 
> I think the problem arises because people are rolling all types of testing into one bucket and if you were talking about static analysis, especially if you are attempting to decompile code, that gets into a much grayer area.
> 
>  
> 
> I would appreciate comments on this and also any legal precedence that anyone is aware of.
> 
> 
> 
> -- 
> 
> Keith Turpin
> OWASP Project Leader
> Secure Coding Practices - Quick Reference Guide
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111104/46b193ed/attachment.html 


More information about the OWASP-Leaders mailing list