Hi, I just posted the sec-testing starter kit which is actually from the OSSTMM Professional Security Tester course and covers briefly the rules of engagement- what testers need to think about and do in testing. It includes what needs to be covered in an OSSTMM certified test. It's an overview. I also posted just the templates from the OSSTMM 2.0. That might help you. One of them is the Asessment template which basically helps you outline exactly what your going to test and why you made the cost estimate you did. You can find them both here: www.isecom.org/guides/templates.pdf www.isecom.org/guides/starter-kit.pdf Sincerely, -pete. -----Original Message----- From: Martin Wasson [mailto:martin_wassonat_private] Sent: Monday, February 03, 2003 8:40 PM To: Ryan Cc: pen-testat_private Subject: Re: Proposal? Ryan, Here are some items you may wish to include. It's off the top of my head, so they're not in any particular order. But you'll want your doc to flow nicely, so arrange them as logically as you can. That's all I can think of at the moment. Use whatever ones you like : scan request submitted by: the requester/submitter's department: an emergency contact including email/pager/cell # if the scan causes problems/outages: (you) outline the specifics of the scan: who owns the box you'll be scanning: has the box/data owner been notified, and do they need to approve the scan: how you will back-out if the scan goes awry: will an outage need to be scheduled for the scan: what are the possible external customer impacts of the scan: what are the possible internal customer ( your co-workers) impacts of the scan: what is the reason for the scan: what hardware platform is the scan being done from: what hardware platform is being scanned: what tools you will be using to perform the scan: a description of each tools' purpose: what is the risk severity of the scan: (will you be employing D.O.S. techniques, as nessus or iss internet scanner might do) when you will begin: when you will end: who has approved the scan: what individuals/departments have been notified of the scan: Marty Wasson "Ryan" <ryan@packetwatch To: <pen-testat_private> .net> cc: (bcc: Martin Wasson/STL/MASTERCARD) Subject: Proposal? 02/02/03 11:03 AM Hi, I am going about doing my first pen-test, and I'm at the point of writing my proposal with specific details, like the machine's IP address and host name, the time of day I will be working, and what I'd like to do. I will be performing a pen-test on one specific server. I was wondering if anyone could give me a guideline (format) of how to do this. I was told by them that they are looking for a 1-2 page writeup. Thanks. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 11:14:48 PST