Vulnerability testing needs to proceed only with a complete understanding from both parties about what is going to happen. A live system needs to be tested very cautiously to prevent users being inconvenienced. If a standalone test system can be arranged, then a more aggressive approach may be used. Either way, agreement needs to be confirmed in writing before testing can commence.
I have a standard terms and conditions document that sets out a few ground rules for my testing services. I don't make this publicly available, but any potential client can ask for a copy for perusal. Basically, it says:
- All information I have about the client's system, both given to me and that I find, will be treated in strictest confidence.
- I'll conduct my testing as agreed, in time slots as agreed, using methods and techniques as agreed.
- The client's system is going to be attacked in a hostile, albeit controlled, way. I make every effort to ensure no damage is done, but the whole point is that I'm trying to break it. I can't be held liable if there is permanent damage or data loss. It's the client's responsibility to take backups, etc.
- Just because the client's system has been tested, that doesn't mean it's immune to attack.
- A copy of the source code behind the website is not normally required - I perform "black box" system testing. If the system is such that I might benefit from having a copy of the source code, and the client is willing to give it to me, I would accept responsibility for that source code under any reasonable Non Disclosure Agreement.
- I deliver a written and minuted report on what sort of attacks were attempted, which ones uncovered problems and what the remedies for those problems might be. Depending on location, I can sometimes attend a client's site to present or discuss my findings.
- The final report can be written to contain relevant, targeted advice, as requested by the client. This might include advice on how to reduce an application's exposure, how to harden a system against attack using intrusion detection, application and system level firewalls, secure coding methods, and so on. Such points don't normally appear in a report and their inclusion will be agreed in advance.
All aspects of the test procedure are negotiable and ultimately within the client's control. I'm happy to perform the exact test procedure the client requires.
Once the terms are agreed, the Client completes my "specification" document which details the systems, servers, IP addresses and so on which are to be tested, a technical contact I can call should I crash a system, and so on. I need this information signed off (digitally or with old fashioned ink) before I can proceed.
Note that my agreement documents are generic, and will sometimes need to be modified for a particular test. I'm happy to consider and make such modifications as necessary.