[Owasp-leaders] Legality of dynamic scanning

Ludovic Petit ludovic.petit at owasp.org
Fri Nov 4 11:48:55 EDT 2011


Hi Keith,

>From a legal point of view, Reverse engineering, whatever, is prohibited.
However, if you use some APIs provided by the vendor of the product
allowing you to do what you wish, fair usage is respected, BUT this depends
on the local legal framework.

On the other hand, if you're using a product without modifying the code,
even for something he wasn't initially designed for, you comply with the
leagl framework (to be checked locally).

Ludovic

On Thu, Nov 3, 2011 at 8:19 PM, Keith Turpin <keith.turpin at owasp.org> wrote:

> I have a question I would like to pose to the other advisory board members.
>
>
>
> Has anyone faced external legal challenges or internal attorney guidance
> related to dynamic scanning of internally deploy commercial off the shelf
> software.
>
>
>
> As an example, a company purchases a piece of software, like a web based
> document management system. They then configure it and install it on their
> internal network. They then decide they want to scan that deployment with a
> dynamic scanner like AppScan or Web Inspect. I am talking about interface
> based dynamic testing only.
>
>
>
> Has anyone heard of anyone implementing a policy that would require the
> software vendor's authorization to due this type of testing?
>
>
>
> I think the problem arises because people are rolling all types of testing
> into one bucket and if you were talking about static analysis, especially
> if you are attempting to decompile code, that gets into a much grayer area.
>
>
>
> I would appreciate comments on this and also any legal precedence that
> anyone is aware of.
>
>
> --
> *
> Keith Turpin*
> OWASP Project Leader
> Secure Coding Practices - Quick Reference Guide
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111104/641f39b7/attachment.html 


More information about the OWASP-Leaders mailing list