Thursday, October 06, 2005

Attorney-client privilege for pentest results

What an interesting idea. this article's thesis is that pentest results can potentially be used against the company that ordered the test. In court, opposing counsel could use them to argue that the company failed to exercise due dillegence in protecting its assets.

The solution? Have your attorney arrange the pentest, and then the results will be covered under attorney-client privilege.

This is kind of a neat legal "hack", but it's kinda sad that this could be necessary. Pentests are all about exercising due dillegence, not ignoring it. At least, if a company properly follows through on the response to the findings, which is not always the case. So if you're planning to ignore the results of your next test, read this article.


joat said...

That's very scary. It parallels the logic that a rape victim was "just asking for it". Hopefully the logic won't hold up in court as all forms of security undergo testing, usually for two reasons: one to validate protections and to find weaknesses (new or otherwise).

It's like saying that I should check the thinkness of my brake pads periodically.

joat said...

err... that I shouldn't check my brake pads that is!