2

I have an Azure website and a client who wants to use my site but needs to perform ethical hacking on it in order to decide if it's secure enough for them. They've asked me this to send them this:

The network configuration to have visibility and connection or traffic to the target IP, i.e., IP/mask/Gateway/DNS. If the web server is accessed via VPN, the client and connection credentials

I thought the IP is enough (and they don't need me for it as they can look it up) - what am I missing? I don't want to give them sensitive data.

techraf
  • 9,141
  • 11
  • 44
  • 62
TBurek
  • 21
  • 1
  • 1
    You have missed the Help Center section: [What types of questions should I avoid asking?](http://security.stackexchange.com/help/dont-ask). You should ask your client for the reasons. Anyone else can only speculate. – techraf Jul 14 '16 at 08:01
  • 4
    Make sure to get approval first: https://security-forms.azure.com/penetration-testing/terms – Michael Jul 14 '16 at 08:28

2 Answers2

3

If the server is publicly accessible then you don't need to worry about VPN connection info. Security assessments are often performed on sites before they are exposed to the internet and the site is only accessible on a private network so they will ask for you to provide these details if that is the case.

The DNS name that the application will have will also be useful to the consultants who are testing the application. For example if they have a site at www.example.com and you are developing a replacement that is currently hosted at beta.anotherexample.com or just has an IP address, they may need to configure their hosts file for the site to work properly - this is quite common if you have developed a site in a CMS like wordpress and it expects all links to start with www.example.com even though the DNS name does not point to your server yet / the website hasnt been deployed to production

Probably the best thing to do is to ask for the mobile phone number of the tester that will test your site and chat with them about what they need. It will be useful to have this number (and for the tester to have your's) in-case the tester accidentally takes your site down or you need them to pause testing for some reason. They may also be friendly and be allowed to give you an informal 'heads up' of what the report is about to contain :)

Stu W
  • 612
  • 6
  • 17
0

This is not how business works. A customer shouldn't assess your security, you must give them the confidence that your site is secure. For example, paying some security firm to perform a vulnerability assessment of your site.

After that assessment, if your site is really secure, you will have a report you can show to your customers showing that your site is secure.

IMO, that's not a customer, just someone tricking you to give away credentials to really hack you in the future.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • 4
    Not always. If your customer is a major bank / listed public company they will often have their own internal security standards and policies. As part of these standards they may require a third party consultant to assess the website on their behalf before signing off on the project. I have been the third party consultant in many situations like this... – Stu W Jul 14 '16 at 07:55
  • addendum (i cant seem to edit): our contract was with the large company and we had a deal with them to test all of their sites at a discount rate after they audited us to check they were happy with our methods. Some of the apps we tested were for one off marketing promotions and developed by small independent developers – Stu W Jul 14 '16 at 08:10
  • I can confirm Stu W's claim that indeed some companies want to make such assessments themselves in a legitimate fashion – niilzon Jul 14 '16 at 08:16
  • @StuW that's exactly what I'm saying. The customer itself doesn't assess your security, a third-party does. Then you provide the customer the report of this third-party consultant. – The Illusive Man Jul 14 '16 at 09:20
  • @Ayozint some (usually larger) client organisations will commission / pay for the report themselves. There is the potential for a conflict of interest to arise if the devs did this - i.e. they could pay the third party off to not find issues or something similarly unscrupulous. The client will want to ensure that the third party is acting solely in their interests and is directly liable to them for any errors or omissions. They will want a satisfactory result before the contract gets signed off and the devs get paid. – Stu W Jul 14 '16 at 10:21
  • (2/2) This is similar to buying a house in most places - you (or your lender) contract your own lawyers / solicitors and commission your own building survey / valuation rather than rely on anything provided by the seller. – Stu W Jul 14 '16 at 10:22