Third Parties

Identifying third-party providers requires a little more manual work and research. Since we know that there may be severe legal consequences for us, including a criminal charge, we should look at this issue here. In the case of a black-box penetration test, we must pay close attention to which third-party providers offer services to our target company.

However, this does not mean that we are not allowed to test systems from third-party suppliers. For this purpose, "Penetration Testing Authorisation Forms" exist, which must be filled in and submitted. This is to inform the third-party vendors that they will most likely receive alerts for the specific systems and should be aware that this is done with our intent. This will also prevent our Internet Service Provider (ISP) from being contacted and blocking our access to the internet. It will also stop us from being charged for attacking the hosts.

We should not use attacks such as DDOS unless all parties have agreed to do so not to restrict the services we provide to other users. But here, too, there are always precise specifications (Penetration Testing Rules of Engagement) from third-party suppliers that we have to follow.

If no forms are available from the third-party provider, our customer must contact the third-party provider and obtain permission. Otherwise, our customer must fill out and submit the documents and provide us with confirmation of permission to test the systems.

PreviousTechnologies in Use NextEnumeration

Last updated 5 months ago