The pitfalls associated with penetration testing without a signed agreement, aka a Service Level Agreement; can vary from legal ramifications to practical issues. Before beginning a pen test, the parties should enter into a contract indicating what the pentester will do and will not do and the range of IP addresses, subnets, computers, networks or devices that will be the focus of the pentest. If the test includes a software review or decompiling, make sure that the copyright to the software does not prohibit the reverse engineering or code review. The pentester should get a “get out of jail free” card from the customer, specifically indicating not only that the pentesting is authorized, but also indicating that the customer has the legal authority …show more content…
Let’s face it, when you are engaged in pen testing, you are in a sense “breaking in” to a computer or computer network. What constitutes “authorization” and who can authorize such access can quickly get muddy. Of course, ethical hackers would only attempt to penetrate a system at the behest of the owner or operator of the system, or otherwise test systems with the actual or implied consent of someone with authority. Damage Control Another legal issue that comes up in pentesting, especially when pentesting is conducted on a production or live system, is the potential impact a pentest may have on the users of the system. This includes not only “ordinary” damages, but also “consequential” and “incidental” damages as well. Scope A pen test agreement should specify exactly what will and will not be done, and the assumptions that underlie the agreement. You need to define the assumptions that trigger the pen test. The pen tester will rely on the customer to define which systems need to be tested, and more importantly, which ones do not. You also should define things such as when the pen test will be conducted (what does “off peak” mean?) the nature of the access required to do the pen test, the nature of the cooperation necessary to make the test meaningful and the scope (and manner) of notice to be provided prior to initiating the