DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity

Added radicallyopensecurity/templates/xml

Browse Source 
This version has been tagged 'templates' in the original repository
This commit is contained in:
Peter Mosmans
2016-07-25 22:49:31 -07:00
parent 07565df7fe
commit 121bc5b268
153 changed files with 13672 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
xml/source/snippets/company_info.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<company>
<full_name>Radically Open Security B.V.</full_name>
<short_name>ROS</short_name>
<legal_rep>Melanie Rieback</legal_rep><!-- ROS legal representative (to sign offerte) -->
<poc1>Melanie Rieback</poc1><!-- first point of contact for ROS -->
<address>Overdiemerweg 28</address>
<postal_code>1111 PP</postal_code>
<city>Diemen</city>
<country>The Netherlands</country>
<phone>+31 6 10 21 32 40</phone>
<email>info@radicallyopensecurity.com</email>
<website>www.radicallyopensecurity.com</website>
<coc>60628081</coc>
<vat_no>853989655B01</vat_no>
<iban>NL06 RABO 0188 2813 12</iban>
</company>

67
xml/source/snippets/localisationstrings.xml Normal file
View File

@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<localised_strings>
<date>
<!-- Note: NOT IMPLEMENTED YET - date localisation requires some Saxon HE hacking and it isn't pretty -->
<format xml:lang="nl">[D1] [MNn] [Y]</format>
<format xml:lang="en">[MNn] [D1], [Y]</format>
</date>
<!-- THIS you can change/expand! -->
<string id="coverpage_offer">
<translation xml:lang="nl">OFFERTE</translation>
<translation xml:lang="en">OFFER</translation>
</string>
<string id="coverpage_service_pentest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration testing services</translation>
</string>
<string id="coverpage_service_pentest_short">
<translation xml:lang="nl">penetratietest</translation>
<translation xml:lang="en">penetration test</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscandiensten</translation>
<translation xml:lang="en">basic security scan services</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscan</translation>
<translation xml:lang="en">basic scan</translation>
</string>
<string id="coverpage_for">
<translation xml:lang="nl">VOOR</translation>
<translation xml:lang="en">FOR</translation>
</string>
<string id="qs2off_about">
<translation xml:lang="nl">Over <client_short/></translation>
<translation xml:lang="en">About <client_short/></translation>
</string>
<string id="qs2off_infrastructure">
<translation xml:lang="nl">Infrastructuur</translation>
<translation xml:lang="en">Infrastructure</translation>
</string>
<string id="qs2off_reach">
<translation xml:lang="nl">Reikwijdte <company_svc_short/></translation>
<translation xml:lang="en">Reach of <company_svc_short/></translation>
</string>
<string id="waiver_signed">
<translation xml:lang="nl">Getekend</translation>
<translation xml:lang="en">Signed</translation>
</string>
<string id="waiver_signed_on">
<translation xml:lang="nl">op</translation>
<translation xml:lang="en">on</translation>
</string>
<string id="waiver_signed_in">
<translation xml:lang="nl">in</translation>
<translation xml:lang="en">in</translation>
</string>
<string id="waiver_signed_by">
<translation xml:lang="nl">door</translation>
<translation xml:lang="en">by</translation>
</string>
<string id="waiver_signed_for">
<translation xml:lang="nl">namens</translation>
<translation xml:lang="en">for</translation>
</string>
</localised_strings>

42
xml/source/snippets/offerte/en/aboutus.xml Normal file
View File

@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>About <company_long/></title>
<p><company_long/> is the world's first not-for-profit computer security consultancy.
We operate under an innovative new business model whereby we use a Dutch fiscal
entity, called a “Fiscaal Fondswervende Instelling” (Fiscal Fund raising Institution),
as a commercial front-end to send 90% of our profits, tax-free, to a not-for-profit
foundation, Stichting NL net. The NLnet Foundation has supported open-source,
digital rights, and Internet research for almost 20 years.</p>
<p>In contrast to other organizations, our profits do not benefit shareholders,
investors, or founders. Our profits benefit society. As an
organization without a profit-motive, we recruit top-name, ethical security
experts and find like-minded customers that want to use their IT security
budget as a "vote" to support socially responsible entrepreneurship. The rapid
pace of our current growth reflects the positive response the market has to our
idealistic philosophy and innovative business model.</p>
<p><company_long/> has a number of values that we describe as our
“Core Principles.” These are:</p>
<ul>
<li><b>No sketchy stuff</b><br/>
We don't build surveillance systems, hack activists, sell exploits to
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.</li>
<li><b>Open-Source</b><br/>
Releasing ALL tools and frameworks, we build as open-source on our website.</li>
<li><b>Teach to fish</b><br/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same
audit or procedure without us. We want to demystify what we're doing.
It's not rocket science, and we genuinely want to help your company
improve its security posture, even if it costs us repeat business.</li>
<li><b>IoCs for free</b><br/>Releasing ALL collected threat intelligence
(Indicators of Compromise) into an open-source database that everyone can freely use.
(Sanitized in agreement with customers.)</li>
<li><b>Zero days</b><br/>
We don't sell zero-days - we responsibly disclose them!</li>
</ul>
<p>For more information about <company_long/>, we refer you to our website:
<a href="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</a>.</p>
</section>

16
xml/source/snippets/offerte/en/black-box.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="blackboxing">
<title>The Black-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
about the target environment, architecture, and/or applications that the customer
initially shares with the pentesters. With Black-Box testing, pentesters
are given no information whatsoever about the target(s). With Crystal-Box testing,
pentesters are given all information requested about the target(s), including
source code (when relevant), access to developers or system management, etc..
<br />
<br />
In this case <company_short/> will conduct a black-Box test.
</p>
</section>
<!-- end of template -->

40
xml/source/snippets/offerte/en/codeauditmethodology.xml Normal file
View File

@@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p><company_short/> will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.</p>
<p>During the code audit portion of penetration tests, we take the following
criteria into account:</p>
<ol>
<li>Risk Assessment and "Threat Modeling"<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/> employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.</li>
<li>Purpose and Context<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.</li>
<li>Complexity<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.</li>
</ol>
<p>For more information, please refer to this link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a></p>
</section>

21
xml/source/snippets/offerte/en/conditions.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Terms and Conditions</title>
<!-- snippet --><p><company_short/> will only perform the <company_svc_short/>
if it has obtained the permission from <generate_permission_parties/>
as set out in the penetration testing waiver, attached as <b>Annex 2</b>,
or provided in a separate document.</p>
<p><company_short/> performs this assignment on the basis of its general
terms and conditions, which are attached to this offer as Annex 1.
<company_short/> rejects any general terms and conditions used by
<client_short/>.</p>
<p>In order to agree to this offer, please sign this letter in duplicate
and return it to:</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>

17
xml/source/snippets/offerte/en/crystal-box.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<section id="crystalboxing">
<title>The Crystal-Box Pentesting Method</title>
<p>
Crystal-box vs. black-box pentesting refers to the amount of information about the target environment, architecture, and/or applications the customer initially shares with the pentesters. With black-box testing, pentesters are given no information whatsoever about the target(s). With crystal-box testing, pentesters are given all information requested about the target(s), including source-code (when relevant), access to developers or system management, etc.
</p>
<p>
<company_short/> will conduct crystal-box pentesting, which is the preferred
method. Unlike real-world attackers who have all of the time in the world,
penetration testing tends to happen within a limited time frame. Crystal-box
pentesting allows us to make the most efficient use of the time allotted, thus
maximizing the number of vulnerabilities that can be found. Additionally
crystal-box pentesting fits naturally hand-in-hand with the "Peek Over Our Shoulder" option that <company_short/> offers to <client_short/>.
</p>
</section>
<!-- end of template -->

25
xml/source/snippets/offerte/en/disclaimer.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Disclaimer</title>
<p>It is possible that in the course of the penetration testing, <company_short/>
might hinder the operations of the Targets or cause damage to the Targets.
<client_short/> gives permission for this, to the extent that <company_short/>
does not act negligent or recklessly. <client_short/> also warrants it has the
authority to give such permission.</p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is
secure. <company_short/>, instead, has an obligation to make reasonable
efforts (in Dutch: “<i>inspanningsverplichting</i>”) to perform the
agreed services.</p>
<p><company_short/> and <client_short/> agree to take reasonable measures to
maintain the confidentiality of information and personal data they gain
access to in the course of performing the penetration test within the
Targets. Both parties will use the information and data they receive or
access only for the purposes outlined in this agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the penetration test have signed a
non-disclosure agreement (NDA). </p>
</section>

4
xml/source/snippets/offerte/en/engagementtime.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Based on the information provided, we expect
this to be an <p_duration/>-day engagement. The planning of this engagement
is as follows:</p>

93
xml/source/snippets/offerte/en/examplewaiver.xml Normal file
View File

@@ -0,0 +1,93 @@
<section id="waiver-example">
<title>ANNEX 2 Example Pentest Waiver</title>
<p><b><i>(Full Client Name)</i> (“<i>(Client)</i>”)</b>, with its registered
office at Somestreet, Somecity, Earth,
Milkyway, and duly represented by <i>(Client's CISO)</i></p>
<p><b>WHEREAS:</b></p>
<p>A. <i>(Client)</i> wants some of its systems tested, <company_long/>
(“<company_short/>”) has offered to perform such testing for <i>(Client)</i>
and <i>(Client)</i> has accepted this offer. The assignment will be performed
by <company_short/>'s core-team members, external freelancers, and/or volunteers
(the “Consultants”).</p>
<p>B. Some of the activities performed by <company_short/> and the Consultants
during the course of this assignment could be considered illegal, unless
<i>(Client)</i> has given permission for these activities. <company_short/>
and the Consultant will only perform such activities if they have received the
required permission.</p>
<p>C. <i>(Client)</i> is willing to give such permission to <company_short/>,
the Consultants, and any other person <company_short/> might employ
or engage for the assignment.</p>
<p><b>DECLARES AS FOLLOWS:</b></p>
<p>1. <i>(Client)</i> is aware that <company_short/> will perform penetration
testing services on the <i>(Client)</i>'s following systems, as
described below. The services are intended to gain insight in the security of
these systems. To do so, <company_short/> will access these systems, attempt to
find vulnerabilities, and gain further access and elevated privileges by
exploiting any vulnerabilities found. <company_short/> will test the following
targets (the “Targets”):
<ul>
<li>Target system</li>
</ul>
</p>
<p>2. <i>(Client)</i> hereby grants <company_short/> and the Consultants on a
date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove, and turn off any security measures protecting
the Targets;</p>
<p>c. copy, intercept, record, amend, delete, and render unusable or inaccessible
any data stored on, processed by, or transferred via the Targets; and</p>
<p>d. hinder the access or use of the Targets,</p>
<p>but <i>(Client)</i> only grants the permission for these activities to the
extent that (i) such activities are necessary to perform the assignment and
(ii) such activities do not disrupt the normal business operations of <i>(Client)</i>.</p>
<p>3. The permission under Article 1 extends to all systems on which the Targets
run, or which <company_short/> or the Consultant might encounter while performing
the assignment, regardless of whether these systems are owned by third parties.</p>
<p>4. <i>(Client)</i> warrants that it has the legal authority to give the
permission set out under Articles 1 and 2. It also warrants it has obtained the
necessary permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then
<i>(Client)</i> will co-operate fully with <company_short/> in defending against
this investigation or proceedings, including by providing any evidence it has
which relates to this investigation or these proceedings.</p>
<br/>
<table cols="48 433">
<tbody>
<tr>
<td rowspan="4">
Signed
</td>
<td>
on __________________________________
</td>
</tr>
<tr>
<td>
in __________________________________
</td>
</tr>
<tr>
<td>
by __________________________________
</td>
</tr>
<tr>
<td>
for <i>(Full Client Name)</i>
</td>
</tr>
</tbody>
</table>
</section>

197
xml/source/snippets/offerte/en/generaltermsandconditions.xml Normal file
View File

@@ -0,0 +1,197 @@
<?xml version="1.0" encoding="UTF-8"?>
<annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p><b>What is this document?</b></p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene voorwaarden</i>”)
of <company_long/> (<company_short/>). This version of the general terms and conditions
is dated 15 July 2014.</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/> wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</p>
<p><b>What is <company_long/>?</b></p>
<p><company_short/> is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</p>
<p><b>To what do these terms and conditions apply?</b></p>
<p>These general terms and conditions apply to all agreements between <company_short/>
and the customer. <company_short/> rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by <company_short/> during the performance of an assignment.</p>
<p><b>How does <company_short/> agree on an assignment?</b></p>
<p><company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between <company_short/>
and the customer after <company_short/> sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
<company_short/> can rescind an offer until it is accepted by the customer.</p>
<p><b>What can the customer expect from <company_short/>?</b></p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts
(in Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.</p>
<p><company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in default
if it doesn't meet the plan.</p>
<p><company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. <company_short/> is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</p>
<p><b>What can <company_short/> expect from the customer?</b></p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/> needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</p>
<p><b>How do the parties handle confidential information?</b></p>
<p><company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. <company_short/> has the right to disclose this
information and data to persons engaged by <company_short/>, but only if these
persons have a similar confidentiality obligation vis-á-vis <company_short/>.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</p>
<p><b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b></p>
<p>If <company_short/> in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, <company_short/> retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</p>
<p><b>What does <company_short/> do with indicators of compromise it finds?</b></p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. <company_short/> retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</p>
<p><b>Who owns the products developed in the course of the assignment?</b></p>
<p><company_short/> retains any intellectual property rights in products developed
for an assignment, such as software and reports. <company_short/>, however, wants
to teach as many customers as possible 'how to fish'.</p>
<p>For software it developed, this means that <company_short/> gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If <company_short/>'s software
is based on other software which is provided under a license which restricts
<company_short/>'s ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</p>
<p>For other products it developed, such as reports and analyses, <company_short/>
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change <company_short/>'s products, such as
reports and analyses. <company_short/> retains the right to reuse these products,
for example for training and marketing purposes. <company_short/> will remove any
confidential information from these products before publication.</p>
<p><company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been done in full.</p>
<p><b>Who will perform the assignment?</b></p>
<p><company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk Wetboek</i>”) is
excluded.</p>
<p>Due to the nature of <company_short/>'s business, <company_short/> regularly
works with freelancers for the performance of its assignments. <company_short/>
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</p>
<p><company_short/> wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in <company_short/>'s team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</p>
<p><b>What happens when the scope of the assignment is bigger than agreed?</b></p>
<p><company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional work.</p>
<p><b>How is payment arranged?</b></p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</p>
<p><company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/> will then have
the right to charge the statutory interest (in Dutch: “<i>wettelijke rente</i>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
<i>gerechtelijke- en buitengerechtelijke (incasso)kosten</i>”).</p>
<p>If the customer cancels or delays the assignment two weeks before it starts,
<company_short/> is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle <company_short/>
to charge 75% of the agreed price).</p>
<p><b>For what can <company_short/> be held liable?</b></p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by <company_short/>.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</p>
<p>To make things clear, <company_short/> is not liable if a person associated
with <company_short/> acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</p>
<p>What happens when third parties lodge a claim or initiate criminal proceedings
against <company_short/>?</p>
<p>The customer shall indemnify <company_short/> and any person employed or
engaged by <company_short/> for any claims of third parties which are in any
way related to the activities of <company_short/> and any person employed or
engaged by <company_short/> for the customer.</p>
<p>Should a third party lodge a claim against <company_short/> or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with <company_short/>
in defending against this claim, including by providing to <company_short/> any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with <company_short/> in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</p>
<p>The customer shall reimburse <company_short/> and any person employed or
engaged by <company_short/> all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”)
of <company_short/> or a person employed or engaged by <company_short/>.</p>
<p><b>When is this agreement terminated and what happens then?</b></p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</p>
<p><b>When can <company_short/> not be expected to perform the assignment?</b></p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</p>
<p><b>Which law applies and which court is competent?</b></p>
<p>Dutch law applies to the legal relationship between <company_short/> and its
customers. Any dispute between <company_short/> and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
<i>rechtbank</i>”) of Amsterdam, the Netherlands.</p>
</annex>

17
xml/source/snippets/offerte/en/grey-box.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="greyboxing">
<title>The Grey-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
regarding the target environment, architecture, and/or applications that is
initially shared by the customer with the pentesters. With Black-Box testing,
pentesters are given no information whatsoever about the target(s). With
Crystal-Box testing, pentesters are given all information requested about the target(s),
including source-code (when relevant), access to developers or system management, etc..
<br />
<br />
<company_short/> will conduct Gray-Box testing, which means that partial information is
given on the target.
</p>
</section>

11
xml/source/snippets/offerte/en/introandscope.xml Normal file
View File

@@ -0,0 +1,11 @@
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
Motivation for this request is that <client_short/> wishes to get a better
insight in ...</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
</section>

67
xml/source/snippets/offerte/en/methodology.xml Normal file
View File

@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Pentest Methodology</title>
<p>During the execution of penetration tests, <company_long/> broadly follows
the following steps:</p>
<ol>
<li>Requirements Gathering and Scoping; </li>
<li>Discovery;</li>
<li>Validation;</li>
<li>Information Collection;</li>
<li>Threat and Vulnerability Analysis;</li>
<li>Exploitation;</li>
<li>Reporting;</li>
</ol>
<p><b>Step 1: Requirements Gathering and Scoping</b> <br/>
The expectations of both parties are discussed and agreements are made regarding
how to conduct the test(s). For example, contact details and the pentest's scope
are documented.</p>
<p><b>Step 2: Discovery</b><br/>
As much information as possible about the target organization and target objects
is collected. This information is passively gathered, primarily from public sources.</p>
<p><b>Step 3: Validation</b><br/>
All customer-specified systems are cross-referenced with findings from the
Discovery step. We do this to ensure that discovered systems are legal property
of the customer and to verify the scope with the customer.</p>
<p><b>Step 4: Information Collection</b><br/>
Information from Step 2 is now used to actively collect information about the
system. Activities conducted during this phase may include:
Determining which parts of the various components will be investigated;
Testing for the presence of known vulnerabilities, using automated tests;
Identifying the offered services and fingerprinting the software used for them.</p>
<p><b>Step 5: Threat and Vulnerability Analysis</b><br/>
Potential threats and vulnerabilities are indexed, based upon the collected information.</p>
<p><b>Step 6: Exploitation</b><br/>
Attempt to use vulnerabilities of the various components.
The diverse applications and components of the client's infrastructure are
relentlessly probed for frequently occurring design, configuration, and
programming errors.</p>
<p>Note: <company_long/> uses open-source scanning tools to get its bearings,
but generally performs most of the exploitation by hand.</p>
<p><b>Step 7: Reporting</b><br/>
After finishing the audit, a report will be delivered where the step-by-step
approach, results, and discovered vulnerabilities are described. The report and
results will be presented to the responsible project leader or manager at the
client's office.</p>
<p>Steps 4-6 may be repeated multiple times per test. For example, access may be
acquired in an external system, which serves as a stepping-stone to the internal network.
The internal network will then be explored in Steps 4 and 5, and exploited in Step 6.</p>
<!--DO NOT INCLUDE ANY OF THESE-->
<!--xi:include href="crystal-box.xml"/-->
<!--xi:include href="black-box.xml"/-->
<!--xi:include href="grey-box.xml"/-->
</section>

128
xml/source/snippets/offerte/en/methodology_loadtest.xml Normal file
View File

@@ -0,0 +1,128 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<!-- for an example load testing offer, ask other writers!-->
<title>Load testing</title>
<p>The aim of load testing is to measure what realistic level of performance a
service deployment is capable of delivering, or whether it meets a specific
performance requirement, in a consistent and repeatable way. For web sites
and applications it usually involves simulating multiple visitors using the
site's features in various ways. This sets it apart from DDoS testing, which
is much more indiscriminate. For load testing, <company_long/>
generally executes the following steps:
</p>
<ol>
<li>Establishing the aim of the load test;</li>
<li>Defining user types to simulate;</li>
<li>Choosing appropriate test volumes;</li>
<li>Collecting URLs and form data for each user type;</li>
<li>Implementing user simulation scripts;</li>
<li>Running appropriate load tests;</li>
<li>Reporting results;</li>
</ol>
<p>
<b>Step 1: Establishing the aim of the load test</b>
<br/>
Load testing needs a well-defined purpose to be useful. There is usually an
underlying reason for wanting to load test, for example users may have
complained your site is slow, or you're evaluating new technology and want
to see whether it brings performance improvements. These reasons boil down
to running some specific tests, usually one or more of:
<ul>
<li>How much activity a system can cope with before it starts to fail (maximum
simultaneous users, maximum request rate)
</li>
<li>What level of performance can be sustained for a given load (average
response time for a fixed number of users)
</li>
<li>What level of load meets a given performance requirement (maximum
users while remaining below a target average response time)
</li>
</ul>
The last two are inverses of each other. A single test is only of moderate
interest - load tests are most useful when repeated so that multiple results
may be compared. It's important that the tests remain consistent, otherwise
they may not be compared meaningfully. Load testing may even be automated as
part of your site's development process so that changes can be evaluated for
performance before deployment.
</p>
<p>
<b>Step 2: Defining user types to simulate</b>
<br/>
Most web sites can group their users into general categories that can be
used as a basis for simulations, for example, a basic browser that looks at
the home and contact pages; a new user trying out some basic features; a
power user that understands the system and uses specific features
repeatedly.
</p>
<p>
<b>Step 3: Choosing appropriate test volumes</b>
<br/>
To provide realistic results it's important to choose test sizes
(simultaneous user count) that are appropriate for the size of the site, and
representative proportions of each user type. An example specification might
be 1000 simultaneous users split into 40% basic browsers, 40% new users, 20%
power users. Multiple tests can be run with different counts and user type
mixes.
</p>
<p>
<b>Step 4: Collecting URLs and form data for each user type</b>
<br/>
Each user type needs a sequence of URL requests and form submissions that
represents their activity. This can be done either by capturing HTTP traffic
using a proxy or by manual inspection of forms and URLs.
</p>
<p>
<b>Step 5: Implementing user simulation scripts</b>
<br/>
Test scripts can be created automatically (effectively replaying captured
URL sequences) or manually for tests requiring finer detail or greater
realism. Turning captured URLs into a user script can be complex and time
consuming - for example when the results of one request need to be
incorporated into a later form submission.
</p>
<p>
<b>Step 6: Running the load tests</b>
<br/>
Combining the user simulation scripts with the test volume settings in a
load testing system produces a working load test. Load tests can be run over
varying time periods, from a few minutes to hours or even days, depending on
the aims of the test. Intense load tests can impose enormous stress on web
sites, often to the point of failure, so they need to be undertaken
carefully and with regard for possible denial of service or downtime they
may cause.
</p>
<p>
<b>Step 7: Reporting results</b>
<br/>
Most load testing tools can generate useful output immediately, but they
often need filtering and interpretation to fulfil the aims of the test.
<company_short/>
has the necessary experience to produce comprehensible reports from the
flood of data that load testing generates.
</p>
<p>Steps 3 and 6 may be repeated for different usage scenarios. For example,
if the test aim is to see if supposed performance enhancements have had a
positive effect, the same test would be run before and after the changes to
allow comparison. In a fixed load test, multiple passes could be run with
100, 500, 1000, 2000 users, or a maximum load test using a slow increase
from 100 to 10000 users to see how far it gets before problems appear.
</p>
<p>There are many load testing tools of varying levels of sophistication,
including Apache's simple "ab" and more complex "JMeter" projects, the
Selenium project for fine-detail browser simulation.
<company_long/>
prefers to use open-source tools such as these. There are also online
commercial services that are useful for testing very large loads that
would otherwise be difficult and expensive to configure from scratch.
</p>
</section>

51
xml/source/snippets/offerte/en/phishing.xml Normal file
View File

@@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<section>
<title>Social Engineering: Phishing</title>
<p> <company_short/>
will engage in social-engineering-based attacks. As requested,
the focus will be on sending phishing emails to test how vulnerable
the selected targets are to this approach.
</p>
<p>For phishing to be successful it is important that
<company_short/>
has detailed information on the targets. Providing
<company_short/>
with a list of target names, roles, email addresses, departments, and
any other useful information, in advance will save significant research
time.
</p>
<p>The phishing process includes these stages:<br/>
<ul>
<li>Research target information</li>
<li>Group related targets</li>
<li>Create pretexts suitable for one or more groups</li>
<li>Build/adapt tools and services to implement the attack</li>
<li>Send mailings to the groups</li>
<li>Gather &amp; analyze results</li>
<li>Report conclusions</li>
</ul>
</p>
<p>First, targets are divided into groups, dependent upon their
departments, roles and interests. Next, content that might appeal to
each group is created or adapted into appropriate phishing pretexts. The
content may be new, using fictional company names, or based on existing
company information and content if pretexts need to be very realistic.
The mailings are usually sent using existing chat operated tools (and
<client_short/> may observe the process if interested), or alternatively
<company_short/>
may create something new, if the situation calls for it.
</p>
<p>To record which targets click message links, <company_short/>
uses click-tracking redirects, in the same way most email newsletters
do. When a target clicks on a link in a phishing mail, their email
address, IP address, and the name of the mailing is sent to us and
logged. Once a victim's click has been recorded, he/she is removed from
the target list as a single successful click is per target is sufficient
for the purposes of these benign attacks. Clicks may happen seconds,
days or weeks after sending, so it's important to wait for results to
accumulate. When sufficient mailings have been sent, and enough data has
(hopefully) been received, the logged results are analyzed and presented
in the final report.
</p>
</section>

21
xml/source/snippets/offerte/en/planningandpayment.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Planning and Payment</title>
<p><company_short/> will uphold the following dates for the planning of the services:</p>
<ul>
<li><company_short/> performs a <company_svc_short/> on <p_testingduration/>.</li>
<li><company_short/> delivers the final report <p_reportdue/>.</li>
</ul>
<!-- snippet --><p>
Our fixed-fee price quote for the above described penetration
testing services is <p_fee/>.- excl. VAT and out-of-pocket expenses.
<company_short/> will send an invoice after completion of this assignment.
<client_short/> will pay the agreed amount within 30 days of the invoice date.
</p>
<!-- snippet --><p>
Any additional work will be charged separately. An hourly
rate for additional work will be agreed upon before starting this work.
</p>
</section>

11
xml/source/snippets/offerte/en/prerequisites.xml Normal file
View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Prerequisites</title>
<p>In order to perform this audit, <company_short/> will need access to:</p>
<!--Example of most common scenario, change if necessary!! :-->
<ul>
<li>Test accounts</li>
<li>Test environment</li>
<li>Contact information of system administrators, in case of emergencies</li>
</ul>
</section>

38
xml/source/snippets/offerte/en/projectoverview.xml Normal file
View File

@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Project Overview</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> will perform <company_svc_long/>
for <client_short/> of the systems described below. The services are intended
to gain insight into the security of these systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities, and gain
further access and elevated privileges by exploiting any vulnerabilities
found.</p>
<!-- snippet --><p><company_short/> will test the following targets
(the “<b>Targets</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> will test for the presence of the
most common vulnerabilities, using both publicly available vulnerability
scanning tools and manual testing. <company_short/> shall perform a
<p_duration/>-day, <p_boxtype/>, intrusive test via the internet.</p>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
“<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>

3
xml/source/snippets/offerte/en/setoutscope.xml Normal file
View File

@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>

52
xml/source/snippets/offerte/en/teamandreporting.xml Normal file
View File

@@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Team and Reporting</title>
<section>
<title>Team</title>
<p><company_short/> may perform the activities with its core-team
members, external freelancers, and/or volunteers.</p>
<p>First point of contact for this assignment shall be:</p>
<ul>
<li><company_poc1/> (<company_short/>)</li>
<li><client_poc1/> (<client_short/>)</li>
</ul>
<!-- remove this for non pentesting offers-->
<p>Our penetration tests are run a bit like a Capture The Flag
(CTF) competition:
<!-- remove this for non pentesting offers-->
<company_long/> has a geographically distributed team
and we use online infrastructure (RocketChat, GitLabs, etc.)
to coordinate our work. This enables us to invite the
customer to send several technical people from their
organization to join our <company_svc_short/> team on a volunteer basis.
Naturally, we extend this invitation to <client_short/> as well.</p>
<p>Throughout the course of the audit, we intend to actively
brainstorm with <client_short/> about both the <company_svc_short/> and the process.
This is a continuous learning experience for both us and you.
Also, in our experience, a tight feedback loop with the customer
greatly improves both the quality and focus of the engagement.</p>
</section>
<section>
<title>Reporting</title>
<p><company_short/> will report to <client_short/> on the <company_svc_short/>.
This report will include the steps it has taken during the
test and the vulnerabilities it has found. It will include
recommendations but not comprehensive solutions on how to address
these vulnerabilities.</p>
<p>A sample Pentest report can be found here</p>
<ul>
<li><a href="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf">https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf</a></li>
</ul>
<p>One of <company_short/>'s Core Principles is the Teach
To Fish principle otherwise known as the 'Peek over our
Shoulder' (PooS) principle. We strive to structure our
services so they can also serve as a teaching or training
opportunity for our customers.</p>
</section>
</section>

80
xml/source/snippets/offerte/en/waiver.xml Normal file
View File

@@ -0,0 +1,80 @@
<?xml version="1.0" encoding="UTF-8"?>
<waivers>
<standard_waiver>
<title><company_svc_short/> - WAIVER</title>
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, with its registered office at <signee_street/>,
<signee_city/>, <signee_country/> and duly represented by <b><signee_waiver_rep/></b></p>
<p>
<b>WHEREAS:</b>
</p>
<p>A. <client_short/> wants some of its systems to be tested,
<company_long/> (“<company_short/>”) has offered to perform
such testing for <client_short/> and
<client_short/> has accepted this offer.
The assignment will be performed by <company_short/>' core-team members, external
freelancers, and/or volunteers (the “Consultants”).</p>
<p>B. Some of the activities performed by
<company_short/> and the
Consultants during the course of this assignment could be considered
illegal, unless <signee_short/> has given permission for
these activities. <company_short/>
and the Consultant will only perform such activities if they have received
the required permission.</p>
<p>C. <signee_short/> is
willing to give such permission to <company_short/>, the Consultants and any
other person <company_short/> might
employ or engage for the assignment.</p>
<p>
<b>DECLARES AS FOLLOWS:</b>
</p>
<p>1. <signee_short/> is
aware that <company_short/> will
perform <company_svc_long/> of the
following systems of <signee_short/>, as described
below. The services are intended to gain insight in the security of these
systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities and gain further
access and elevated privileges by exploiting any vulnerabilities found.
<company_short/> will test the
following targets (the “<b>Targets</b>”):</p>
<generate_targets/>
<p>2. <signee_short/>
hereby grants <company_short/> and
the Consultants on a date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove and turn off
any security measures protecting the Targets;</p>
<p>c. copy, intercept, record, amend, delete,
render unusable or inaccessible any data stored on, processed by or
transferred via the Targets; and</p>
<p>d. hinder the access or use of the
Targets,</p>
<p>but <signee_short/>
only grants the permission for these activities to the extent that (i) such
activities are necessary to perform the assignment and (ii) such activities
do not disrupt the normal business operations of <signee_short/>.</p>
<p>3. The permission under Article 1 extends
to all systems on which the Targets run, or which <company_short/> or the Consultant might
encounter while performing the assignment, regardless of whether these
systems are owned by third parties.</p>
<p>4. <signee_short/>
warrants that it has the legal authority to give the permission set out
under Articles 1 and 2. It also warrants it has obtained the necessary
permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an
investigation or criminal proceedings against <company_short/> or any of the consultants it
engaged or employed as a result of the performance of the assignment for the
customer, then <signee_short/> will co-operate fully
with <company_short/> in defending
against this investigation or proceedings, including by providing any
evidence it has which relates to this investigation or these
proceedings.</p>
<generate_waiver_signature_box/>
</standard_waiver>
</waivers>

39
xml/source/snippets/offerte/nl/aboutus.xml Normal file
View File

@@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Over ons <company_long/></title>
<p><company_long/> is 's werelds eerste non-profit computer security consultancy bedrijf.
Wij zijn een <i>Fiscaal Fondswervende Instelling</i> en in die hoedanigheid kunnen we 90 procent van onze winst
belastingvrij aan non-profit stichting NLnet doneren. Stichting NLnet ondersteunt al bijna twintig jaar
open-source, digitale rechten en internet onderzoek.</p>
<p>Onze winst worden dus niet uitgekeerd aan aandeelhouders, investeerders of eigenaren.
Met de winst dienen we de maatschappij. Omdat wij geen winstoogmerk hebben kunnen we de beste ethische
veiligheidsexperts rekruteren. Met onze kernwaarden trekken we gelijkgestemde klanten aan. Wij stellen onze klanten
in staat om met IT veiligheidsbudgetten sociaal verantwoord ondernemen te ondersteunen.
Het hoge tempo waarmee wij groeien weerspiegelt de positieve respons van de markt op onze idealistische
filosofie en ons innovatieve business model.</p>
<p><company_long/> heeft een aantal waarden die wij beschrijven als onze
"Kernwaarden." Deze zijn:</p>
<ul>
<li><b>Openheid van zaken</b><br/>
Wij bouwen geen toezichtssystemen, we helpen geen hacking activisten, we verkopen geen <i>exploits</i>
aan geheime diensten of iets in die richting. Als een opdracht ons moreel verwerpelijk lijkt, nemen
we die niet aan. </li>
<li><b>Open-Source</b><br/>
Wij geven ALLE tools en frameworks, die wij open-source bouwen, vrij op onze website.</li>
<li><b>Leren vissen</b><br/>
Tijdens de samenwerken delen wij niet alleen de resultaten met onze opdrachtgevers, maar
geven wij ook een stapsgewijze beschrijving waarmee klanten in de toekomst zelf de
veiligheid van hun systemen kunnen testen. Wij willen graag inzichtelijk maken wat we doen. Het is geen
hogere wiskunde. We helpen klanten om hun kennis en houding ten aanzien van veiligheid te verbeteren.</li>
<li><b>Gratis IoCs</b><br/>
Wij geven ALLE verzamelde bedreigingen (<i>Indicators of Compromise</i>) vrij in
een open-source <i>database</i> die iederen gratis kan gebruiken (Opgeschoond in
overeenstemming met klanten).</li>
<li><b>Zero days</b><br/>
Wij verkopen geen <i>'Zero days' exploits</i> (nuldagenaanval) - wij brengen ze op verantwoorde wijze aan het licht!</li>
</ul>
<p>Voor meer informatie over <company_long/> verwijzen wij u naar onze website:
<a href="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</a>.</p>
</section>

13
xml/source/snippets/offerte/nl/black-box.xml Normal file
View File

@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid
informatie over het doelwit; de omgeving, architectuur, en/of applicaties die de klant
in eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentesters helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het doelwit,
inclusief broncode (wanneer dit relevant is), toegang tot ontwikkelaars of systeembeheer, etc...
<br />
In dit geval zal <company_short/> een Black-Box test uitvoeren.
</p>
<!-- end of template -->

41
xml/source/snippets/offerte/nl/codeauditmethodology.xml Normal file
View File

@@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Broncode Audit</title>
<p><company_short/> zal een broncode audit uitvoeren ter ondersteuning van pentesting.
Gedurende een code audit onderzoeken wij handmatig de broncode van een applicatie
om te verzekeren dat er geen kwetsbaarheden in de beveiliging zitten en gebruiken wij
ons begrip van de code om het pentesten te leiden. Als er kwetsbaarheden gevonden worden
documenteren wij deze en komen met suggesties om deze op te lossen. Dit wordt gedaan
door goed-getrainde penetratie testers die zowel raw code kunnen herzien,
als het interpreteren van de bevindingen van de geautomatiseerde scans, wat het in context brengt.</p>
<p>Tijdens het code audit gedeelte van penetratie tests nemen wij de volgende criteria mee:</p>
<ol>
<li>Risico Beoordeling en "Dreiging Modellering"<br/>
In deze stap analyseren wij de risico's van een bepaalde applicatie of systeem.
Dreiging Modellering is een specifieke, gestructureerde aanpak voor risico
analyse dat ons in staat stelt om beveiligingsrisico's te identificeren,
kwalificeren en te addresseren. Dit is de reden voor de vervlechting met
het proces van Code Herziening. Bijvoorbeeld: Gebruiksgegevens zijn heilig.
Wij focussen op versleutelde opslag, ontdekken of <client_short/> werknemers
een "backdoor" in hun data hebben en snijden gestolen toestellen af
door deze op afstand te wissen en accounts in te trekken.</li>
<li>Doel en Context<br/>
Hier focussen wij op de risico's, voornamelijk in het snel en gemakkelijk
delen van interne documenten en routebeschrijvingen. Accountgegevens
zijn niet zo geheim als wij weten wie in een vergadering zit, maar
wat besproken wordt geheim is.</li>
<li>Complexiteit<br/>
De complexiteit van het systeem zit hem in de frameworks die de
webapplicatie ondersteunen. Wij zouden deze negeren en ons alleen richten
op de "custom" en backend code, waarvan wij weten dat het gebaseerd is
op .NET/ C#. We zouden ons ook focussen op implementatiefouten en bekende
fouten in de systemen. Bijvoorbeeld: We zouden bevestigen of u de laatste
versie van de software gebruikt, maar we zouden niet delven in het framework zelf.
Omdat wij aannemen dat de code is geschreven door een team zal dit waarschijnlijk duidelijk
geschreven code zijn. Als u meerdere full-release versies heeft, zullen er
ongetwijfeld meerdere code revisies en audits op deze code zijn.</li>
</ol>
<p>Voor meer informatie verwijzen wij u naar de volgende link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a></p>
</section>

21
xml/source/snippets/offerte/nl/conditions.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Algemene voorwaarden</title>
<!-- snippet --><p><company_short/> zal alleen de <company_svc_short/>
uitvoeren als het de toestemming heeft gekregen van <generate_permission_parties/>
zoals uiteengezet in de penetration test verklaring, bijgevoegd als <b>Annex 2</b>,
of verschafd als los document.</p>
<p><company_short/> voert deze opdracht uit op basis van de algemene voorwaarden,
die bijgevoegd zijn als Annex 1.
<company_short/> weigert alle algemene voorwaarden die gebruikt worden door
<client_short/>.</p>
<p>Om akkoord te gaan met dit aanbod, tekent u deze brief in tweevoud en retourneert
deze naar:</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>

20
xml/source/snippets/offerte/nl/crystal-box.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<p>
Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid
informatie over de doelwit omgeving, architectuur, en/of applicaties die de klant
in eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentester helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het doelwit,
inclusief source code (wanneer dit relevant is), toegang tot developers of systeembeheer, etc...
<br />
<br />
<company_short/> zal een Crystal-Box pentest uitvoeren, wat de voorkeursmethode is.
In tegenstelling tot "real world" aanvallers, die alle tijd van de wereld hebben,
vinden pentests plaats in een beperkt tijdsbestek. Crystal-Box pentesting biedt ons
de mogelijkheid om zo efficiënt mogelijk onze tijd te benutten, wat zorgt voor
een maximalisatie van het aantal kwetsbaarheden die kunnen worden gevonden.
Daarnaast sluit de Crystal-Box pentest het beste aan bij de "Meekijken over de Schouder"
optie die <company_short/> aanbiedt aan <client_short/>.
</p>
<!-- end of template -->

24
xml/source/snippets/offerte/nl/disclaimer.xml Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Vrijwaring</title>
<p>Het is mogelijk dat in de loop van het penetratie testen <company_short/>
de operaties van het doelwit hindert of hier schade aan toebrengt.
<client_short/> geeft hier toestemming voor, onder voorbehoud dat <company_short/>
hier niet nalatig of roekeloos mee omgaat. <client_short/> waarborgt dit ook en heeft de bevoegdheid om
hier toestemming voor te geven.</p>
<p>Het is van belang om de limitaties van de diensten van <company_short/> te begrijpen.
<company_short/> geeft geen (en kan geen) garanties geven dat iets veilig is.
<company_short/>, heeft in plaats daarvan, een wettelijke inspanningsverplichting
voor de uit te voeren diensten.</p>
<p><company_short/> en <client_short/> komen hierbij overeen dat redelijke maatregelen
worden getroffen om, de vertrouwelijkheid van informatie en persoonlijke
gegevens van de doelwitten waar zij toegang tot krijgen
in de loop van het uitvoeren van de penetratie test, in stand wordt gehouden.
Beide partijen zullen de informatie en data die zij ontvangen of waar zij toegang tot krijgen
alleen gebruiken ten behoeve van de doelen die beschreven zijn in deze overeenkomst.
<company_short/> garandeert dat alle kern-leden, externe freelancers en vrijwilligers
die betrokken zijn bij het uitvoeren van de penetratie test een geheimhoudingsverklaring (NDA) hebben getekend.</p>
</section>

3
xml/source/snippets/offerte/nl/engagementtime.xml Normal file
View File

@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Gebaseerd op de verstrekte informatie, verwachten wij dat het dienstverband <p_duration/> dagen duurt.
De planning van dit dienstverband is als volgt:</p>

197
xml/source/snippets/offerte/nl/generaltermsandconditions.xml Normal file
View File

@@ -0,0 +1,197 @@
<?xml version="1.0" encoding="UTF-8"?>
<annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p><b>What is this document?</b></p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene voorwaarden</i>”)
of <company_long/> (<company_short/>). This version of the general terms and conditions
is dated 15 July 2014.</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/> wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</p>
<p><b>What is <company_long/>?</b></p>
<p><company_short/> is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</p>
<p><b>To what do these terms and conditions apply?</b></p>
<p>These general terms and conditions apply to all agreements between <company_short/>
and the customer. <company_short/> rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by <company_short/> during the performance of an assignment.</p>
<p><b>How does <company_short/> agree on an assignment?</b></p>
<p><company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between <company_short/>
and the customer after <company_short/> sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
<company_short/> can rescind an offer until it is accepted by the customer.</p>
<p><b>What can the customer expect from <company_short/>?</b></p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts
(in Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.</p>
<p><company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in default
if it doesn't meet the plan.</p>
<p><company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. <company_short/> is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</p>
<p><b>What can <company_short/> expect from the customer?</b></p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/> needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</p>
<p><b>How do the parties handle confidential information?</b></p>
<p><company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. <company_short/> has the right to disclose this
information and data to persons engaged by <company_short/>, but only if these
persons have a similar confidentiality obligation vis-á-vis <company_short/>.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</p>
<p><b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b></p>
<p>If <company_short/> in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, <company_short/> retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</p>
<p><b>What does <company_short/> do with indicators of compromise it finds?</b></p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. <company_short/> retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</p>
<p><b>Who owns the products developed in the course of the assignment?</b></p>
<p><company_short/> retains any intellectual property rights in products developed
for an assignment, such as software and reports. <company_short/>, however, wants
to teach as many customers as possible 'how to fish'.</p>
<p>For software it developed, this means that <company_short/> gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If <company_short/>'s software
is based on other software which is provided under a license which restricts
<company_short/>'s ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</p>
<p>For other products it developed, such as reports and analyses, <company_short/>
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change <company_short/>'s products, such as
reports and analyses. <company_short/> retains the right to reuse these products,
for example for training and marketing purposes. <company_short/> will remove any
confidential information from these products before publication.</p>
<p><company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been done in full.</p>
<p><b>Who will perform the assignment?</b></p>
<p><company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk Wetboek</i>”) is
excluded.</p>
<p>Due to the nature of <company_short/>'s business, <company_short/> regularly
works with freelancers for the performance of its assignments. <company_short/>
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</p>
<p><company_short/> wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in <company_short/>'s team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</p>
<p><b>What happens when the scope of the assignment is bigger than agreed?</b></p>
<p><company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional work.</p>
<p><b>How is payment arranged?</b></p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</p>
<p><company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/> will then have
the right to charge the statutory interest (in Dutch: “<i>wettelijke rente</i>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
<i>gerechtelijke- en buitengerechtelijke (incasso)kosten</i>”).</p>
<p>If the customer cancels or delays the assignment two weeks before it starts,
<company_short/> is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle <company_short/>
to charge 75% of the agreed price).</p>
<p><b>For what can <company_short/> be held liable?</b></p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by <company_short/>.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</p>
<p>To make things clear, <company_short/> is not liable if a person associated
with <company_short/> acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</p>
<p>What happens when third parties lodge a claim or initiate criminal proceedings
against <company_short/>?</p>
<p>The customer shall indemnify <company_short/> and any person employed or
engaged by <company_short/> for any claims of third parties which are in any
way related to the activities of <company_short/> and any person employed or
engaged by <company_short/> for the customer.</p>
<p>Should a third party lodge a claim against <company_short/> or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with <company_short/>
in defending against this claim, including by providing to <company_short/> any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with <company_short/> in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</p>
<p>The customer shall reimburse <company_short/> and any person employed or
engaged by <company_short/> all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”)
of <company_short/> or a person employed or engaged by <company_short/>.</p>
<p><b>When is this agreement terminated and what happens then?</b></p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</p>
<p><b>When can <company_short/> not be expected to perform the assignment?</b></p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</p>
<p><b>Which law applies and which court is competent?</b></p>
<p>Dutch law applies to the legal relationship between <company_short/> and its
customers. Any dispute between <company_short/> and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
<i>rechtbank</i>”) of Amsterdam, the Netherlands.</p>
</annex>

10
xml/source/snippets/offerte/nl/introandscope.xml Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Inleiding</title>
<p><client_long/> (hierna “<b><client_short/></b>”), statutair gevestigd te
<client_street/>, <client_city/>, <client_country/>, heeft <company_long/> (hierna
<b><company_short/></b>”) verzocht een <company_svc_long/> uit te voeren. Motivatie
voor dit verzoek is dat <client_short/> een beter inzicht wenst te krijgen in ...</p>
<p>Deze offerte beschrijft de scope van het werk en de voorwaarden waaronder <company_short/> deze diensten zal uitvoeren.</p>
</section>

58
xml/source/snippets/offerte/nl/methodology.xml Normal file
View File

@@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Pentest Methodologie</title>
<p>Tijdens het uitvoeren van de penetratie tests volgt <company_long/> in grote lijnen de volgende stappen:</p>
<ol>
<li>Benodigdheden Verzamelen en Scoping; </li>
<li>Ontdekking;</li>
<li>Validatie;</li>
<li>Informatieverzameling;</li>
<li>Analyse van Bedreigingen en Kwetsbaarheden;</li>
<li>Exploitatie;</li>
<li>Rapportage;</li>
</ol>
<p><b>Step 1: Benodigdheden Verzamelen en Scoping</b> <br/>
De verwachtingen van beide partijen worden besproken en overeenkomsten worden gemaakt
betreffende het uitvoeren van de test(s). Bijvoorbeeld, contactgegevens en de
scope van de pentest worden vastgelegd.</p>
<p><b>Step 2: Ontdekking</b><br/>
Zo veel mogelijk informatie betreffende de "target" organisatie en de "target" objecten
wordt verzameld. Deze informatie wordt passief verzameld, voornamelijk uit publieke bronnen.</p>
<p><b>Step 3: Validatie</b><br/>
Alle door de klant gespecificeerde systemen worden kruisverwezen met de bevindingen
van de Ontdekking stap. Wij doen dit om te garanderen dat de ontdekte systemen
wettelijk eigendom van de klant zijn en om de scope met de klant te verifiëren.</p>
<p><b>Step 4: Informatieverzameling</b><br/>
Informatie uit Stap 2 wordt hier gebruikt om actief informatie betreffende de
systemen te verzamelen. Activiteiten gedurende deze fase kunnen het volgende inhouden:
Vaststellen welke onderdelen van de verscheidene componenten zullen worden onderzocht;
Testen op de aanwezigheid van bekende kwetsbaarheden, gebruikmakend van automatische tests;
De aangeboden diensten identificeren en de voor hen gebruikte software te "fingerprinten."</p>
<p><b>Step 5: Analyse van Bedreigingen en Kwetsbaarheden</b><br/>
Potentiële bedrijgingen en kwetsbaarheden worden geïndexeerd, gebaseerd op de verzamelde informatie.</p>
<p><b>Step 6: Exploitatie</b><br/>
Hier wordt gepoogd om kwetsbaarheden van de verscheidene componenten te gebruiken.
De diverse applicaties en componenten van de klants infrastructuur worden
meedogenloos gesondeerd voor frequent voorkomende design-, configuratie- en programmeerfouten.</p>
<p>Notitie: <company_long/> gebruikt als basis open-source scanning tools, maar
voert in het algemeen de meeste exploitatie handmatig uit.</p>
<p><b>Step 7: Rapportage</b><br/>
Na het afronden van de verificatie zal een rapport worden geleverd met een stapsgewijze benadering,
waarbij resultaten en ontdekte kwetsbaarheden worden beschreven. Het rapport en de resultaten
zullen worden gepresenteerd aan de verantwoordelijke projectleider of -manager in het kantoor van de klant.</p>
<p>Stappen 4-6 kunnen meerdere malen herhaald worden per test. Voorbeeld: Toegang kan worden
verkregen in een extern systeem dat fungeert als een opstapje tot het interne netwerk.
Het interne netwerk zal vervolgens worden verkend in Stappen 4 en 5, om vervolgens te worden geëxploiteerd in Stap 6.</p>
</section>

65
xml/source/snippets/offerte/nl/methodology_basic-scan.xml Normal file
View File

@@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="basicscanmethodology">
<title><company_svc_short/> methodologie</title>
<p>Tijdens het uitvoeren van de <company_svc_long/> volgt <company_long/> in grote lijnen de volgende stappen:</p>
<ol>
<li>vaststellen van vereisten en scoping</li>
<li>uitvoeren van scans</li>
<li>analyseren van bedreigingen en kwetsbaarheden</li>
<li>rapporteren van bevindingen</li>
</ol>
<p><b>Stap 1: vaststellen van vereisten en scoping</b> <br/>
De verwachtingen van beide partijen worden besproken en er worden afspraken
gemaakt betreffende het uitvoeren van de test(s). De benodige vereisten zoals
de contactgegevens en het bereik van de <company_svc_short/> worden vastgesteld.
</p>
<p><b>Stap 2: uitvoeren van scans</b><br/>
In deze fase worden automatische scans uitgevoerd die op het doelwit van toepassing
zijn. Bijvoorbeeld:
<ul>
<li>Het identificeren van aangeboden diensten en de
daarbij gebruikte software <i>fingerprinten</i>.</li>
<li>Het maken van een <i>basic</i> oppervlakte scan om bekende kwetsbaarheden
in de gebruikte software en protocollen op te sporen. Tijdens een <i>basic</i>
scan worden ontdekte 'gaten' in de beveiliging door ons niet geexploiteerd. </li>
<li>Het testen op veel voorkomende, bekende configuratiefouten in de software.
Dit zijn met name instellingen op het gebied van authenticatiemechanismen,
toegangsrechten en encryptie. Configuratiefouten in zelf ontwikkelde of exotische
software vallen hier niet onder.</li>
</ul>
</p>
<p><b>Stap 3: analyseren van kwetsbaarheden</b><br/>
Op basis van de verzamelde informatie worden potentiële kwetsbaarheden geïndexeerd.
De kwetsbaarheden worden geanalyseerd om overduidelijke <i>false positives</i>
er uit te filteren (niet alle scans produceren automatisch betrouwbare resultaten).
</p>
<p><b>Stap 4: rapporteren van bevindingen</b><br/>
Na afronding van de analyse wordt een rapport opgeleverd waarin onze
stapsgewijze benadering, de resultaten en gevonden kwetsbaarheden worden beschreven.
Het rapport dat <client_short/> oplevert bevat geen management samenvatting; <client_short/>
voegt deze zelf toe.
</p>
<p>
Na het doorlopen van bovengenoemde stappen kan <client_short/> een goed beeld
schetsen van de beveiligingsstatus van het doelwit. Een echte aanvaller zou \
deze analyse uitvoeren voordat een daadwerkelijke aanval wordt gepleegd.
Het resultaat van deze scan kan niet worden gebruikt om aan te tonen of aan
bepaalde <i>security</i> certificeringen is voldaan. Het resultaat uit een
penetratietest kan daar wel voor worden gebruikt. Bij een penetratietest wordt
gebruik gemaakt van de gevonden exploits om dieper liggende kwetsbaarheden in
kaart te brengen. Een pentest kan daarom worden gezien als de daadwerkelijke
aanval op het systeem.
</p>
</section>

20
xml/source/snippets/offerte/nl/planningandpayment.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Planning en Betaling</title>
<p><company_short/> houdt het volgende schema aan voor haar werkzaamheden:</p>
<p>
<ul>
<li><p_testingduration/>: <company_short/> voert <company_svc_short/> uit op het doelwit</li>
<li><p_reportwritingduration/>: <company_short/> maakt een concept rapport over de tests</li>
<li><p_reportdue/>: <company_short/> levert het definitieve rapport.</li>
</ul>
</p>
<!-- snippet --><p>Ons vaste tarief voor de bovenstaand beschreven
<company_svc_short/> is <p_fee/>,- excl. BTW en bijkomende kosten.
<company_short/> zal een factuur sturen na afronding van deze opdracht.
<client_short/> zal het afgesproken bedrag binnen 30 dagen na de factureringsdatum overmaken.</p>
<!-- snippet --><p>Eventuele extra werkzaamheden zullen apart worden verrekend.
Een uurtarief zal hieraan voorafgaand worden besproken.</p>
</section>

12
xml/source/snippets/offerte/nl/prerequisites.xml Normal file
View File

@@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Vereisten</title>
<p>Om de diensten naar behoren uit te kunnen voeren heeft <company_short/> toegang nodig tot:</p>
<!--Example of most common scenario, change if necessary!! :-->
<ul>
<li>test accounts</li>
<li>een testomgeving</li>
<li>contactgegevens van de systeemadministrators, voor noodgevallen</li>
</ul>
</section>

37
xml/source/snippets/offerte/nl/projectoverview.xml Normal file
View File

@@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Projectoverzicht</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> zal <company_svc_long/> uitvoeren voor <client_short/>
op de onderstaand beschreven systemen. De diensten zijn bedoelt om inzicht te bieden
in de veiligheid van deze systemen. Om dit te kunnen bewerkstelligen zal <company_short/>
toegang krijgen tot deze systemen, proberen kwetsbaarheden op te sporen en trachten
verdere toegang te krijgen door de gevonden kwetsbaarheden uit te buiten.</p>
<!-- snippet --><p><company_short/> zal de volgende objectieven testen
(de “<b>objectieven</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> zal testen op de aanwezigheid van de
meest voorkomende kwetsbaarheden, gebruik makend van zowel publiek beschikbare
scanning tools, als door handmatig testen. <company_short/> zal een
<p_duration/>-daagse, <p_boxtype/>, grondige test uitvoeren, via internet.</p>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
“<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>

51
xml/source/snippets/offerte/nl/teamandreporting.xml Normal file
View File

@@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Team en Rapportage</title>
<section>
<title>Team</title>
<p><company_short/> mag de activiteiten uitvoeren met haar kern-teamleden,
externe freelancers, en/of vrijwilligers.</p>
<p>Het eerste contactpersoon voor deze opdracht zal zijn:</p>
<ul>
<li><company_poc1/> (<company_short/>)</li>
<li><client_poc1/> (<client_short/>)</li>
</ul>
<p>Onze penetratie tests lijken een beetje op een "verover de vlag competitie":
<company_long/> heeft een geografisch gedistribueerd team
en wij gebruiken online infrastructuur (RocketChat, GitLabs, etc.)
om ons werk te coördineren. Dit geeft ons de mogelijkheid om
om verscheidene technische mensen uit de organisatie van de klant
uit te nodigen om op vrijwillige basis samen te werken met ons pentest team.
Natuurlijk geldt deze uitnodiging ook voor <client_short/>.</p>
<p>In de loop van het project hebben wij de insteek om actief te
brainstormen met <client_short/> over zowel de pentest, als het proces.
Dit is een doorlopende leerervaring voor zowel u, als voor onszelf.
Daarnaast hebben wij ervaren dat een directe lijn voor feedback naar de klant
de kwaliteit en de focus van het dienstverband enorm verbeteren.</p>
</section>
<section>
<title>Rapportage</title>
<p><company_short/> zal rapporteren aan <client_short/> betreffende de
penetratie test. Dit rapport zal de genomen stappen bevatten die benodigd waren
gedurende de test en daarnaast de bevonden kwetsbaarheden. Daarnaast zal het
aanbevelingen bevatten, maar geen uitgebreide oplossingen om deze
kwetsbaarheden op te lossen.</p>
<p>Een voorbeeld van een Pentest rapport kan hier gevonden worden</p>
<ul>
<li><a href="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-
pentestreport-v10.pdf">https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-
pentestreport-v10.pdf</a></li>
</ul>
<p>Een van <company_short/> haar kernwaarden is het
"Leer iemand Vissen" principe - ook bekend als het
"Meekijken over de Schouder" principe. Wij streven ernaar om
onze diensten te structureren, zodat zij kans kunnen bieden
om deze te benutten voor educatieve- of trainingsdoeleinden voor onze klanten.</p>
</section>
</section>

60
xml/source/snippets/offerte/nl/teamandreporting_basic-scan.xml Normal file
View File

@@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Team en rapportage</title>
<section>
<title>Team</title>
<p><company_short/> voert de activiteiten zoals genoemd in deze offerte uit
met haar kern-teamleden, externe freelancers, en/of vrijwilligers.<br />
De eerste aanspreekpunt voor deze opdracht zijn:
<ul>
<li><company_poc1/> (<company_short/>)</li>
<li><client_poc1/> (<client_short/>)</li>
</ul>
</p>
<p>
<company_long/> werkt met een geografisch gespreid team. Onze teamleden bevinden
zich in verschillende uithoeken van de wereld. <company_short/> maakt gebruik van een eigen
online infrastructuur (RocketChat, GitLabs, et cetera) om het werk binnen het
team te coördineren. De online infrastructuur biedt ons de mogelijkheid
om technische mensen uit de organisatie van <client_short/> uit te nodigen op
vrijwillige basis met ons pentestteam samen te werken. Natuurlijk geldt deze
uitnodiging ook voor <generate_permission_parties/>.
</p>
<p> <company_short/> betrekt <client_short/> actief bij het project door tussentijds
overleg te voeren over de voortgang van de <company_svc_short/> en over het proces.
Door deze manier van werken wordt het project een doorlopende leerervaring voor
zowel u, als voor <company_short/>. <company_short/> heeft ervaren dat een
rechtstreeks contact met de klant tijdens het project, de kwaliteit en de focus
van onze diensten aanzienlijk verbetert.</p>
</section>
<section>
<title>Rapportage</title>
<p>
<company_short/> zal voor <client_short/> de tijdens de <company_svc_short/>
aangetroffen kwetsbaarheden onderzoeken en classificeren. Onze bevindingen verwerken we in een Engelstalig
rapport. De belangrijkste bevindingen worden voorzien van een gedetailleerd advies
voor het verbeteren van de onveilige situatie. De minder kritische bevindingen
zullen door ons minder gedetailleerd worden behandeld. Voorafgaand aan de oplevering
van het rapport, krijgt <client_short/> inzage in de conceptversie zodat er nog ruimte is voor
vragen en suggesties. De bevindinen uit het rapport zullen telefonisch en/of per email door
<client_short/> en <company_short/> worden besproken.
</p>
<p>
De managementsamenvatting wordt door <client_short/> zelf geschreven. Het rapport
zal een omschrijving van de stappen en de gevonden kwetsbaarheden bevatten.
Daarnaast zal het aanbevelingen bevatten (maar geen uitgebreide oplossingen) om
de kwetsbaarheden te verhelpen. Het rapport wordt voorzien van een bijlage (annex)
met ruwe testgegevens.
</p>
<!--p>Een van <company_short/> haar kernwaarden is het
"Leer iemand Vissen" principe - ook bekend als het
"Meekijken over de Schouder" principe. Wij streven ernaar om
onze diensten te structureren, zodat zij kans kunnen bieden
om deze te benutten voor educatieve- of trainingsdoeleinden voor onze klanten.</p-->
</section>
</section>

68
xml/source/snippets/offerte/nl/waiver.xml Normal file
View File

@@ -0,0 +1,68 @@
<waivers>
<standard_waiver>
<title><company_svc_short/> - VRIJWARINGSVERKLARING</title>
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, statutair gevestigd te <signee_street/> <signee_city/>
en in deze rechtsgeldig vertegenwoordigd door <b><signee_legal_rep/></b></p>
<p><b>OVERWEGENDE DAT:</b></p>
<p>A. <i><client_short/></i> wenst dat enkele van zijn systemen worden getest, <company_long/>
(“<company_short/>”) een offerte heeft uitgebracht aan <i><client_short/></i> voor
het uitvoeren van deze tests en <i><client_short/></i> deze offerte heeft geaccepteerd.
De opdracht wordt uitgevoerd door leden van het <company_short/> kernteam, externe freelancers
en/of vrijwilligers (de “Consultants”).</p>
<p>B. Sommige werkzaamheden die door <company_short/> en de Consultants gedurende deze opdracht
worden uitgevoerd zouden als onwettig kunnen worden beschouwd, tenzij <i><signee_short/></i>
toestemming geeft voor dergelijke werkzaamheden. <company_short/> en de Consultants voeren dergelijke
activiteiten alleen uit wanneer zij hier de vereiste toestemming voor hebben ontvangen.</p>
<p>C. <i><signee_short/></i> is bereid dergelijke toestemming te verlenen aan <company_short/>, de
Consultants en alle andere personen die door <company_short/> voor de opdracht in dienst worden
genomen of anderszins zijn ingeschakeld.</p>
<p><b>VERKLAART HET VOLGENDE:</b></p>
<p>1. <i><signee_short/></i> is bekend met het feit dat <company_short/> een <company_svc_short/>
zal uitvoeren in de volgende systemen van <i><signee_short/></i>,
zoals hieronder aangegeven. Doel van deze diensten is het verkrijgen van inzicht
in de veiligheid van deze systemen. <company_short/> zal zich daartoe toegang verschaffen tot
deze systemen om op zoek te gaan naar kwetsbaarheden. Vervolgens zal worden getracht
dergelijke kwetsbaarheden uit te buiten om verdere toegang en verhoogde privileges
te bemachtigen. <company_short/> zal de volgende doelwitten testen (de “Doelwitten”):
<ul>
<li>Doelsysteem</li>
</ul>
</p>
<p>2. <i><signee_short/></i> verklaart hierbij <company_short/> en de Consultants op een datum die
per email zal worden bevestigd de meest uitvoerige toestemming te verlenen voor
het uitvoeren van de opdracht, waaronder toestemming om:</p>
<p>a. de Doelwitten binnen te dringen en te gebruiken;</p>
<p>b. eventuele veiligheidsmaatregelen ter bescherming van de Doelwitten te omzeilen,
verbreken, verwijderen en uit te schakelen;</p>
<p>c. eventuele data die door of via de Doelwitten wordt verwerkt of verzonden te kopiëren,
vast te leggen, aan te passen, te verwijderen of deze onbruikbaar of ontoegankelijk
te maken; en</p>
<p>d. de toegang tot, of het gebruik van, de Doelwitten te belemmeren,</p>
<p><i><signee_short/></i> verleent echter alleen toestemming voor deze activiteiten in
zoverre (i) dergelijke activiteiten noodzakelijk zijn voor het uitvoeren van de
opdracht en (ii) dergelijke activiteiten de reguliere bedrijfsprocessen van
<i><signee_short/></i> niet verstoren.</p>
<p>3. De toestemming zoals vermeld in Artikel 1 omvat alle systemen waarop de Doelwitten
draaien, of die door <company_short/> of de Consultants worden aangetroffen tijdens het uitvoeren
van de opdracht, ongeacht of dergelijke systemen het eigendom zijn van derden.</p>
<p>4. <i><signee_short/></i> verklaart dat hij de wettelijke bevoegdheid heeft om de
in Artikel 1 en 2 genoemde toestemming te verlenen. <i><signee_short/></i> verklaart
tevens dat hij de benodigde toestemming heeft verkregen van eventuele derden zoals
genoemd in Artikel 3.</p>
<p>5. Indien het Openbaar Ministerie een onderzoek start of een strafzaak begint
tegen <company_short/> of de Consultants die door <company_short/> zijn ingeschakeld of in dienst worden genomen
ter uitvoering van de opdracht voor de Klant, dan zal <i><signee_short/></i> zijn volledige
medewerking verlenen aan <company_short/> in diens verweer tegen een dergelijk onderzoek of strafzaak,
waaronder het verschaffen van bewijs dat verband houdt met dit onderzoek of de strafzaak.</p>
<generate_waiver_signature_box/>
</standard_waiver>
</waivers>

7
xml/source/snippets/report/contact.xml Normal file
View File

@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<contact xml:base="contact.xml">
<name>Melanie Rieback</name>
<address>Radically Open Security BV<br/>Overdiemerweg 28, 1111 PP Diemen</address>
<phone>+31 6 10 21 32 40</phone>
<email>melanie@radicallyopensecurity.com</email>
</contact>

49
xml/source/snippets/report/methodology.xml Normal file
View File

@@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="methodology" xml:base="methodology.xml" break="before">
<title>Methodology</title>
<section id="planning">
<title>Planning</title>
<p>Our general approach during this penetration test was as follows:</p>
<ol>
<li><b>Reconnaissance</b><br/>We attempted to gather as much information as possible about the
target. Reconnaissance can take two forms: active and passive. A
passive attack is always the best starting point as this would normally defeat
intrusion detection systems and other forms of protection, etc., afforded to the
network. This would usually involve trying to discover publicly available
information by utilizing a web browser and visiting newsgroups etc. An active form
would be more intrusive and may show up in audit logs and may take the form of a
social engineering type of attack.</li>
<li><b>Enumeration</b><br/>We used varied operating system fingerprinting tools to determine
what hosts are alive on the network and more importantly what services and operating
systems they are running. Research into these services would be carried out to
tailor the test to the discovered services.</li>
<li><b>Scanning</b><br/>Through the use of vulnerability scanners, all discovered hosts would be tested
for vulnerabilities. The result would be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.</li>
<li><b>Obtaining Access</b><br/>Through the use of published exploits or weaknesses found in
applications, operating system and services access would then be attempted. This may
be done surreptitiously or by more brute force methods.</li>
</ol>
</section>
<section id="riskClassification">
<title>Risk Classification</title>
<p>Throughout the document, each vulnerability or risk identified has been labeled and
categorized as:</p>
<ul>
<li><b>Extreme</b><br/>Extreme risk of security controls being compromised with the possibility
of catastrophic financial/reputational losses occurring as a result.</li>
<li><b>High</b><br/>High risk of security controls being compromised with the potential for
significant financial/reputational losses occurring as a result.</li>
<li><b>Elevated</b><br/>Elevated risk of security controls being compromised with the potential
for material financial/reputational losses occurring as a result.</li>
<li><b>Moderate</b><br/>Moderate risk of security controls being compromised with the potential
for limited financial/reputational losses occurring as a result.</li>
<li><b>Low</b><br/>Low risk of security controls being compromised with measurable negative
impacts as a result.</li>
</ul>
<p>Please note that this risk rating system was taken from the Penetration Testing Execution
Standard (PTES). For more information, see:
http://www.pentest-standard.org/index.php/Reporting. </p>
</section>
</section>