How to propose a security audit / pen-test?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
leonel.machava
Forum Newbie
Posts: 10
Joined: Fri May 15, 2009 4:28 pm

How to propose a security audit / pen-test?

Post by leonel.machava »

Hello guys!

I have discovered some vulnerable websites owned by companies and organizations of my country. These websites have critical vulnerabilities. On some it is possible to do an unauthorized login, on others to run any SQL command and delete/create/modify files, to name a few.

I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?

And what about a (full) security audit?

If you know of a website or book that addresses these issues I would appreciate!

NOTE: I am very interested in how to contact them and sign a contract with them.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to propose a security audit / pen-test?

Post by kaisellgren »

leonel.machava wrote:I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?
Email is a valid method to inform someone. You can leave your phone number in the message if you want.

As far as public disclosure goes, you should always contact them and let them patch the vulnerabilities. It should be up to them, not the originator, to decide whether disclose anything to the public. It should be noted that even if a vulnerability is not publicly disclosed, the likelihood of exploiting vulnerabilities on unpatched software versions increases due to the possibility of reverse-engineering the patches.
leonel.machava wrote:NOTE: I am very interested in how to contact them and sign a contract with them.
What kind of contract are you talking about here? To fix the vulnerabilities in exchange for $?
leonel.machava
Forum Newbie
Posts: 10
Joined: Fri May 15, 2009 4:28 pm

Re: How to propose a security audit / pen-test?

Post by leonel.machava »

Thank you kaisellgren!

Well, in my country, security is still something alien. A few developers are aware of it.
kaisellgren wrote:Email is a valid method to inform someone. You can leave your phone number in the message if you want.

As far as public disclosure goes, you should always contact them and let them patch the vulnerabilities. It should be up to them, not the originator, to decide whether disclose anything to the public. It should be noted that even if a vulnerability is not publicly disclosed, the likelihood of exploiting vulnerabilities on unpatched software versions increases due to the possibility of reverse-engineering the patches.
I usually do it for websites of foreign countries. I email them with the info about the vulnerabilities.
kaisellgren wrote:What kind of contract are you talking about here? To fix the vulnerabilities in exchange for $?
Yes. I think it is a big oportunity for me to make some $. I don't know anyone else who can help them and I am sure they don't know how to fix the vulnerabilities.

Any help here, please.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: How to propose a security audit / pen-test?

Post by josh »

I'm all for public disclosure, sure it could possibly end up in the wrong hands, but the clients of said company also have a right to know so they can switch to a better company. But if any money, or human life is at stake then no dont publicly disclose it.

If I were you I would give them one freeby and charge them $500 - $1,500 to explain each additional security hole and fix it for them :D
leonel.machava
Forum Newbie
Posts: 10
Joined: Fri May 15, 2009 4:28 pm

Re: How to propose a security audit / pen-test?

Post by leonel.machava »

Thank you josh!
Post Reply