Re: [WEB SECURITY] Inter-company scanning quandary

From: Ryan Barnett <rcbarnett_at_nospam>
Date: Fri Oct 05 2007 - 14:58:22 GMT
To: "an_itsec_guy@hushmail.com" <an_itsec_guy@hushmail.com>

I would think that an appropriate compromise would be for Company Y to agree to deploy a web application firewall as it would not be as "intrusive" as a scanner against the site.

After suffering a web compromise, I would think that Company Y would be making changes anyways. -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/3/07, an_itsec_guy@hushmail.com <an_itsec_guy@hushmail.com> wrote:
>
> Scenario:
>
> Company X hires Company Y to host some of X's content on Y's
> managed hosting service. (Cost-effecitve you know ;) The usual
> NDA(s), SAS-70 type II report, and controls follow. X's customers
> now surf to Y's website to interact with some of X's content.
> Everybody's happy.
>
> One day, Company Y's website is compromised. Unauthorized
> modifications are made to some of Company X's data. Hands wave,
> fingers are pointed, blah blah blah. The crux: Company X now wants
> to use its web application vulnerability scanners on Company Y's
> sites. Some in Company X want to do this without telling Company
> Y. This of course violates the rule "get permission in writing",
> and likely a host of other contractual agreements. Others in
> Company X think they should be able to scan their content on
> Company Y's website whenever they feel like it because "it's
> Company X's content harumph".
>
> Thoughts?
> Options?
>
> Thanks
>
> Signed
> An ITSec Guy
>
> --
> Click for free info on online masters degrees and make up to $150K/ year
>
> http://tagline.hushmail.com/fc/Ioyw6h4eS922nvl7bYVBsC9U8xtEhmlnJ1EyUV6NsKkfNaXXxz6wKO/
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

This message: [ Message body ]
Next message: Martin O'Neal: "RE: [WEB SECURITY] Inter-company scanning quandary"
Previous message: Yeager, Joe (HP Software ASC): "RE: [WEB SECURITY] Inter-company scanning quandary"
In reply to: an_itsec_guy_at_nospam: "[WEB SECURITY] Inter-company scanning quandary"
Next in thread: Martin O'Neal: "RE: [WEB SECURITY] Inter-company scanning quandary"
Reply: Martin O'Neal: "RE: [WEB SECURITY] Inter-company scanning quandary"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]