DeforaNetworks/pentext
DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity

Formatting cleanup

Browse Source
This commit is contained in:
Marcus Bointon 2017-02-27 17:20:12 +01:00
parent b8767e62a5
commit 53ff916f16
No known key found for this signature in database
GPG Key ID: DE31CD6EB646AA24
22 changed files with 285 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
xml/source/snippets/offerte/en/aboutus.xml
View File

@ -1,42 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>About <company_long/></title>
<p><company_long/> is the world's first not-for-profit computer security consultancy.
We operate under an innovative new business model whereby we use a Dutch fiscal
entity, called a “Fiscaal Fondswervende Instelling” (Fiscal Fund raising Institution),
as a commercial front-end to send 90% of our profits, tax-free, to a not-for-profit
foundation, Stichting NL net. The NLnet Foundation has supported open-source,
digital rights, and Internet research for almost 20 years.</p>
<title>About
<company_long/>
</title>
<p>
<company_long/>
is the world's first not-for-profit computer security consultancy. We
operate under an innovative new business model whereby we use a Dutch fiscal
entity, called a “Fiscaal Fondswervende Instelling” (Fiscal Fund raising
Institution), as a commercial front-end to send 90% of our profits,
tax-free, to a not-for-profit foundation, Stichting NL net. The NLnet
Foundation has supported open-source, digital rights, and Internet research
for almost 20 years.
</p>
<p>In contrast to other organizations, our profits do not benefit shareholders,
investors, or founders. Our profits benefit society. As an
organization without a profit-motive, we recruit top-name, ethical security
experts and find like-minded customers that want to use their IT security
budget as a "vote" to support socially responsible entrepreneurship. The rapid
pace of our current growth reflects the positive response the market has to our
idealistic philosophy and innovative business model.</p>
<p>In contrast to other organizations, our profits do not benefit
shareholders, investors, or founders. Our profits benefit society. As an
organization without a profit-motive, we recruit top-name, ethical security
experts and find like-minded customers that want to use their IT security
budget as a "vote" to support socially responsible entrepreneurship. The
rapid pace of our current growth reflects the positive response the market
has to our idealistic philosophy and innovative business model.
</p>
<p><company_long/> has a number of values that we describe as our
“Core Principles.” These are:</p>
<ul>
<li><b>No sketchy stuff</b><br/>
We don't build surveillance systems, hack activists, sell exploits to
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.</li>
<li><b>Open-Source</b><br/>
Releasing ALL tools and frameworks we build as open source on GitHub (a link to our GitHub page can be found on our website).</li>
<li><b>Teach to fish</b><br/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same
audit or procedure without us. We want to demystify what we're doing.
It's not rocket science, and we genuinely want to help your company
improve its security posture, even if it costs us repeat business.</li>
<li><b>IoCs for free</b><br/>Releasing ALL collected threat intelligence
(Indicators of Compromise) into an open-source database that everyone can freely use.
(Sanitized in agreement with customers.)</li>
<li><b>Zero days</b><br/>
We don't sell zero-days - we responsibly disclose them!</li>
</ul>
<p>For more information about <company_long/>, we refer you to our website:
<a href="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</a>.</p>
<p>
<company_long/>
has a number of values that we describe as our “Core Principles.” These are:
</p>
<ul>
<li>
<b>No sketchy stuff</b>
<br/>
We don't build surveillance systems, hack activists, sell exploits to
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.
</li>
<li>
<b>Open-Source</b>
<br/>
Releasing ALL tools and frameworks we build as open source on GitHub (a
link to our GitHub page can be found on our website).
</li>
<li>
<b>Teach to fish</b>
<br/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same
audit or procedure without us. We want to demystify what we're doing. It's
not rocket science, and we genuinely want to help your company improve its
security posture, even if it costs us repeat business.
</li>
<li>
<b>IoCs for free</b>
<br/>Releasing ALL collected threat intelligence (Indicators of
Compromise) into an open-source database that everyone can freely use.
(Sanitized in agreement with customers.)
</li>
<li>
<b>Zero days</b>
<br/>
We don't sell zero-days - we responsibly disclose them!
</li>
</ul>
<p>For more information about<company_long/>, we refer you to our website:
<a href="http://www.radicallyopensecurity.com">
www.radicallyopensecurity.com</a>.
</p>
</section>

73
xml/source/snippets/offerte/en/additional-code-audit_methodology.xml
View File

@ -2,48 +2,53 @@
<section>
<title>Code Audit</title>
<p>
<company_short/> will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.
<company_short/>
will perform a code audit to aid pentesting. During a code audit, we
manually examine the code of an application to ensure there are no security
vulnerabilities and use our understanding of the code to guide our
pentesting. If vulnerabilities are found, we document those and suggest ways
to fix them. This is done by highly-trained penetration testers who can both
review the raw code as well as interpret the findings of the automated
scans, putting them into context.
</p>
<p>
During the code audit portion of penetration tests, we take the following
criteria into account:
During the code audit portion of penetration tests, we take the following
criteria into account:
</p>
<ol>
<li>Risk Assessment and "Threat Modeling"<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/> employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.
<li>Risk Assessment and "Threat Modeling"
<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/>
employees have a backdoor into data, and cut loose stolen devices by
wiping them remotely and revoking accounts.
</li>
<li>Purpose and Context<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.
<li>Purpose and Context
<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret when
we know who will be in meetings, but what's being discussed is secret.
</li>
<li>Complexity<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.
<li>Complexity
<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also focus on implementation mistakes and known
flaws in the systems. For example, we'd ensure you're using the latest
versions of software, but we wouldn't delve into the framework itself.
Since we assume the code is written by a team, it should be
clearly-written code. If you have several full-release versions, there
will undoubtedly be several revisions and audits on that code.
</li>
</ol>
<p>
For more information, please refer to this link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">
https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a>
For more information, please refer to this link:
<a
href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">
https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents
</a>
</p>
</section>

24
xml/source/snippets/offerte/en/black-box.xml
View File

@ -1,16 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="blackboxing">
<title>The Black-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
about the target environment, architecture, and/or applications that the customer
initially shares with the pentesters. With Black-Box testing, pentesters
are given no information whatsoever about the target(s). With Crystal-Box testing,
pentesters are given all information requested about the target(s), including
source code (when relevant), access to developers or system management, etc..
<br />
<br />
In this case <company_short/> will conduct a black-Box test.
</p>
<title>The Black-Box Pentesting Method</title>
<p>
Crystal-Box vs. Black-Box pentesting refers to the amount of information
about the target environment, architecture, and/or applications that the
customer initially shares with the pentesters. With Black-Box testing,
pentesters are given no information whatsoever about the target(s). With
Crystal-Box testing, pentesters are given all information requested about
the target(s), including source code (when relevant), access to developers
or system management, etc.
</p>
<p>In this case <company_short/> will conduct a black-Box test.</p>
</section>
<!-- end of template -->

47
xml/source/snippets/offerte/en/conditions.xml
View File

@ -1,21 +1,32 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Terms and Conditions</title>
<p><company_short/> will only perform the <company_svc_short/>
if it has obtained the permission from <generate_permission_parties/>
as set out in the penetration testing waiver, attached as <b>Annex 2</b>,
or provided in a separate document.</p>
<p><company_short/> performs this assignment on the basis of its general
terms and conditions, which are attached to this offer as Annex 1.
<company_short/> rejects any general terms and conditions used by
<client_short/>.</p>
<p>In order to agree to this offer, please sign this letter in duplicate
and return it to:</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<title>Terms and Conditions</title>
<p>
<company_short/> will only perform the
<company_svc_short/> if it has obtained the permission from
<generate_permission_parties/> as set out in the penetration testing waiver,
attached as <b>Annex 2</b>, or provided in a separate document.
</p>
<p>
<company_short/>
performs this assignment on the basis of its general terms and conditions,
which are attached to this offer as Annex 1.
<company_short/> rejects any general terms and conditions used by
<client_short/>.
</p>
<p>In order to agree to this offer, please sign this letter in duplicate and
return it to:
</p>
<contact>
<name>
<company_legal_rep/>
</name>
<address>
<company_long/>
<br/>Overdiemerweg 28<br/>1111 PP Diemen
</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>
</contact>
<generate_offer_signature_box/>
</section>

4
xml/source/snippets/offerte/en/crystal-box.xml
View File

@ -1,4 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?><!--snippet -->
<?xml version="1.0" encoding="UTF-8"?>
<section id="crystalboxing">
<title>The Crystal-Box Pentesting Method</title>
<p>
@ -20,4 +20,4 @@
crystal-box pentesting fits naturally hand-in-hand with the "Peek Over Our
Shoulder" option that <company_short/> offers to <client_short/>.
</p>
</section><!-- end of template -->
</section>

1
xml/source/snippets/offerte/en/disclaimer.xml
View File

@ -7,7 +7,6 @@
<company_short/>, instead, has an obligation to make reasonable efforts (in
Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.
</p>
<p>
<company_short/> and <client_short/>
agree to take reasonable measures to maintain the confidentiality of

5
xml/source/snippets/offerte/en/disclaimer_code-audit.xml
View File

@ -8,11 +8,8 @@
<company_short/>, instead, has an obligation to make reasonable efforts (in
Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.
</p>
<p>
<company_short/>
and
<client_short/>
<company_short/> and <client_short/>
agree to take reasonable measures to maintain the confidentiality of
information and any personal data they gain access to in the course of
performing the code audit. Both parties will use the information and data

1
xml/source/snippets/offerte/en/examplewaiver.xml
View File

@ -1,7 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="waiver-example">
<title>ANNEX 2 Example Pentest Waiver</title>
<p>
<b><i>(Full Client Name)</i> (“<i>(Client)</i>”)</b>, with its registered
office at Somestreet, Somecity, Earth, Milkyway, and duly represented by

14
xml/source/snippets/offerte/en/grey-box.xml
View File

@ -2,13 +2,13 @@
<section id="greyboxing">
<title>The Grey-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of
information regarding the target environment, architecture, and/or
applications that is initially shared by the customer with the pentesters.
With Black-Box testing, pentesters are given no information whatsoever about
the target(s). With Crystal-Box testing, pentesters are given all
information requested about the target(s), including source-code (when
relevant), access to developers or system management, etc..
Crystal-Box vs. Black-Box pentesting refers to the amount of information
regarding the target environment, architecture, and/or applications that is
initially shared by the customer with the pentesters. With Black-Box
testing, pentesters are given no information whatsoever about the target(s).
With Crystal-Box testing, pentesters are given all information requested
about the target(s), including source-code (when relevant), access to
developers or system management, etc..
</p>
<p>
<company_short/>

19
xml/source/snippets/offerte/en/introandscope.xml
View File

@ -1,12 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
The motivation for this request is that <client_short/> wishes to get a better
insight into ...</p>
<p>
<client_long/> (hereafter “<b><client_short/></b>”), with its registered office at
<client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
</p>
<p>
The motivation for this request is that <client_short/> wishes to gain better
insight into ...
</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
<p>This offer sets out the scope of the work and the terms and conditions
under which <company_short/> will perform these services.
</p>
</section>

11
xml/source/snippets/offerte/en/introandscope_retest.xml
View File

@ -4,11 +4,12 @@
<p>
<client_long/> (hereafter “<b><client_short/></b>”), with its registered office at
<client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.</p>
<p>The motivation for this request is that <client_short/> has had a recent penetration
test done by <company_short/> and wishes to check that the vulnerabilities found
have been mitigated.
</p>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
</p>
<p>The motivation for this request is that <client_short/> has had a recent penetration
test done by <company_short/> and wishes to check that the vulnerabilities found
have been mitigated.
</p>
<p>This offer sets out the scope of the work and the terms and conditions
under which <company_short/> will perform these services.

10
xml/source/snippets/offerte/en/methodology_code-audit.xml
View File

@ -10,8 +10,8 @@
impact on the Confidentiality, Integrity and Availability (CIA) of the
system. We will describe how an attacker would exploit the vulnerability and
suggest ways of fixing it.
<br/>
This requires an extensive knowledge of the platform the application is
</p>
<p>This requires an extensive knowledge of the platform the application is
running on, as well as the extensive knowledge of the language the
application in written in and patterns that have been used. Therefore a code
audit done by highly-trained specialists with a strong background in
@ -21,7 +21,7 @@
During the code audit, we take the following approach:
</p>
<ol>
<li>Thorough comprehension of functionality
<li><b>Thorough comprehension of functionality</b>
<br/>
We try to get a thorough comprehension of how the application works and
how it interacts with the user and other systems. Having detailed
@ -29,7 +29,7 @@
documentation) at this stage is very helpful, as they aid the
understanding of the application
</li>
<li>Static analysis
<li><b>Static analysis</b>
<br/>
Using the understanding we gained in the previous step, we will use static
code analysis to uncover any vulnerabilities. Static analysis means the
@ -47,7 +47,7 @@
assessing the quality of the security measures.
</li>
<li>Dynamic analysis
<li><b>Dynamic analysis</b>
<br/>
Dynamic analysis can also be performed. In this case, the program is run
and actively exploited by the specialist. This is usually done to confirm

1
xml/source/snippets/offerte/en/methodology_load-test.xml
View File

@ -1,6 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<!-- for an example load testing offer, ask other writers!-->
<title>Load testing</title>
<p>The aim of load testing is to measure what realistic level of performance a
service deployment is capable of delivering, or whether it meets a specific

9
xml/source/snippets/offerte/en/planningandpayment.xml
View File

@ -1,10 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Planning and Payment</title>
<p><company_short/> will uphold the following dates for the planning of the services:</p>
<p>
<company_short/>
will uphold the following dates for the planning of the services:
</p>
<ul>
<li><company_short/> performs a <company_svc_short/> on <p_testingduration/>.</li>
<li><company_short/> delivers the final report <p_reportdue/>.</li>
<li><company_short/> performs a <company_svc_short/> on <p_testingduration/>.</li>
<li><company_short/> delivers the final report <p_reportdue/>.</li>
</ul>
<p>
Our fixed-fee price quote for the above described <company_svc_short/> is <p_fee/>.-

2
xml/source/snippets/offerte/en/prerequisites.xml
View File

@ -2,7 +2,7 @@
<section>
<title>Prerequisites</title>
<p>In order to perform this audit, <company_short/> will need access to:</p>
<!--Example of most common scenario, change if necessary!! :-->
<!-- Example of most common scenario, change as necessary -->
<ul>
<li>Test accounts</li>
<li>Test environment</li>

2
xml/source/snippets/offerte/en/prerequisites_training.xml
View File

@ -2,7 +2,7 @@
<section>
<title>Prerequisites</title>
<p>In order to provide training, <company_short/> will need to:</p>
<!--Example of most common scenario, change if necessary!! :-->
<!-- Example of most common scenario, change if necessary -->
<ul>
<li>Develop training materials</li>
<li>Book an appropriate venue</li>

1
xml/source/snippets/offerte/en/projectoverview.xml
View File

@ -1,6 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<!-- section with an overview of ROS activities -->
<title>Project Overview</title>
<p>
<company_short/> will perform <company_svc_long/> for <client_short/>

1
xml/source/snippets/offerte/en/projectoverview_retest.xml
View File

@ -1,6 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<!-- section with an overview of ROS activities -->
<title>Project Overview</title>
<p>
<company_short/> will perform <company_svc_long/> for <client_short/>

2
xml/source/snippets/offerte/en/projectoverview_training.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Project Overview
</title><!-- section with an overview of ROS activities -->
</title>
<p>
<company_short/>
will provide xxx training sessions, for xxx different groups,

1
xml/source/snippets/offerte/en/teamandreporting.xml
View File

@ -20,7 +20,6 @@
<!-- remove this for non pentesting offers-->
<p>The workflow of our penetration testing team is modeled on that of a
Capture The Flag (CTF) team:
<!-- remove this for non pentesting offers-->
<company_long/> has a geographically distributed team and we use online
infrastructure (RocketChat, GitLabs, etc.) to coordinate our work. This

151
xml/source/snippets/offerte/en/waiver.xml
View File

@ -1,78 +1,85 @@
<?xml version="1.0" encoding="UTF-8"?>
<waivers>
<standard_waiver>
<title><company_svc_short/> - WAIVER</title>
<standard_waiver>
<title>
<company_svc_short/>
- WAIVER
</title>
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, with its registered office at <signee_street/>,
<signee_city/>, <signee_country/> and duly represented by <b><signee_waiver_rep/></b></p>
<p>
<b><i><signee_long/></i> (<i><signee_short/></i>)</b>, with its registered office at
<signee_street/>, <signee_city/>, <signee_country/> and duly represented by
<b><signee_waiver_rep/></b>
</p>
<p>
<b>WHEREAS:</b>
</p>
<p>
<b>WHEREAS:</b>
</p>
<p>A. <client_short/> wants some of its systems to be tested,
<company_long/> (“<company_short/>”) has offered to perform
such testing for <client_short/> and
<client_short/> has accepted this offer.
The assignment will be performed by <company_short/>' core-team members, external
freelancers, and/or volunteers (the “Consultants”).</p>
<p>B. Some of the activities performed by
<company_short/> and the
Consultants during the course of this assignment could be considered
illegal, unless <signee_short/> has given permission for
these activities. <company_short/>
and the Consultant will only perform such activities if they have received
the required permission.</p>
<p>C. <signee_short/> is
willing to give such permission to <company_short/>, the Consultants and any
other person <company_short/> might
employ or engage for the assignment.</p>
<p>
<b>DECLARES AS FOLLOWS:</b>
</p>
<p>1. <signee_short/> is
aware that <company_short/> will
perform <company_svc_long/> of the
following systems of <signee_short/>, as described
below. The services are intended to gain insight in the security of these
systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities and gain further
access and elevated privileges by exploiting any vulnerabilities found.
<company_short/> will test the
following targets (the “<b>Targets</b>”):</p>
<generate_targets/>
<p>2. <signee_short/>
hereby grants <company_short/> and
the Consultants on a date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove and turn off
any security measures protecting the Targets;</p>
<p>c. copy, intercept, record, amend, delete,
render unusable or inaccessible any data stored on, processed by or
transferred via the Targets; and</p>
<p>d. hinder the access or use of the
Targets,</p>
<p>but <signee_short/>
only grants the permission for these activities to the extent that (i) such
activities are necessary to perform the assignment and (ii) such activities
do not disrupt the normal business operations of <signee_short/>.</p>
<p>3. The permission under Article 1 extends
to all systems on which the Targets run, or which <company_short/> or the Consultant might
encounter while performing the assignment, regardless of whether these
systems are owned by third parties.</p>
<p>4. <signee_short/>
warrants that it has the legal authority to give the permission set out
under Articles 1 and 2. It also warrants it has obtained the necessary
permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an
investigation or criminal proceedings against <company_short/> or any of the consultants it
engaged or employed as a result of the performance of the assignment for the
customer, then <signee_short/> will co-operate fully
with <company_short/> in defending
against this investigation or proceedings, including by providing any
evidence it has which relates to this investigation or these
proceedings.</p>
</standard_waiver>
<p>A. <client_short/> wants some of its systems to be tested,
<company_long/> (“<company_short/>”) has offered to perform such testing for
<client_short/> and <client_short/> has accepted this offer.
The assignment will be performed by <company_short/>' core-team members,
external freelancers, and/or volunteers (the “Consultants”).
</p>
<p>B. Some of the activities performed by <company_short/>
and the Consultants during the course of this assignment could be
considered illegal, unless <signee_short/>
has given permission for these activities.
<company_short/> and the Consultant will only perform such activities if they
have received the required permission.
</p>
<p>C. <signee_short/> is willing to give such permission to <company_short/>,
the Consultants and any other person <company_short/> might employ or engage for
the assignment.
</p>
<p>
<b>DECLARES AS FOLLOWS:</b>
</p>
<p>1. <signee_short/> is aware that <company_short/> will perform
<company_svc_long/> of the following systems of <signee_short/>, as described
below. The services are intended to gain insight in the security of these systems.
To do so, <company_short/> will access these systems, attempt to find
vulnerabilities and gain further access and elevated privileges by exploiting
any vulnerabilities found. <company_short/> will test the following targets
(the “<b>Targets</b>”):
</p>
<generate_targets/>
<p>2. <signee_short/> hereby grants <company_short/>
and the Consultants on a date to be confirmed by email the broadest
permission possible to perform the assignment, including the permission
to:
</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove and turn off any security measures
protecting the Targets;
</p>
<p>c. copy, intercept, record, amend, delete, render unusable or
inaccessible any data stored on, processed by or transferred via the
Targets; and
</p>
<p>d. hinder the access or use of the Targets,</p>
<p>but <signee_short/> only grants the permission for these activities to the
extent that (i) such activities are necessary to perform the assignment and
(ii) such activities do not disrupt the normal business operations of
<signee_short/>.
</p>
<p>3. The permission under Article 1 extends to all systems on which the
Targets run, or which <company_short/> or the Consultant might encounter
while performing the assignment, regardless of whether these systems are
owned by third parties.
</p>
<p>4. <signee_short/> warrants that it has the legal authority to give the
permission set out under Articles 1 and 2. It also warrants it has obtained
the necessary permissions from any third parties referred to under Article 3.
</p>
<p>5. Should the public prosecutor initiate an investigation or criminal
proceedings against <company_short/> or any of the consultants it engaged or
employed as a result of the performance of the assignment for the customer,
then <signee_short/> will co-operate fully with <company_short/>
in defending against this investigation or proceedings, including by
providing any evidence it has which relates to this investigation or these
proceedings.
</p>
</standard_waiver>
</waivers>

38
xml/source/snippets/offerte/nl/crystal-box.xml
View File

@ -1,18 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<div><p>
Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid
informatie over de doelwit omgeving, architectuur, en/of applicaties die de klant
in eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentester helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het doelwit,
inclusief source code (wanneer dit relevant is), toegang tot developers of systeembeheer, etc...
</p>
<p>
<company_short/> zal een Crystal-box pentest uitvoeren - de methode die onze voorkeur heeft.
In tegenstelling tot "echte" hackers, die alle tijd van de wereld hebben,
vinden pentests plaats in een beperkt tijdsbestek. Crystal-box pentesting biedt ons
de mogelijkheid om onze tijd zo efficiënt mogelijk te gebruiken, waardoor het maximale aantal kwetsbaarheden kan worden gevonden.
Daarnaast sluit de Crystal-box pentest het beste aan bij de "meekijk"-optie die <company_short/> <client_short/> biedt.
</p></div>
<!-- end of template -->
<div>
<p>
Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid informatie
over de doelwit omgeving, architectuur, en/of applicaties die de klant in
eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentester helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het
doelwit, inclusief source code (wanneer dit relevant is), toegang tot
developers of systeembeheer, etc...
</p>
<p>
<company_short/>
zal een Crystal-box pentest uitvoeren - de methode die onze voorkeur heeft.
In tegenstelling tot "echte" hackers, die alle tijd van de wereld hebben,
vinden pentests plaats in een beperkt tijdsbestek. Crystal-box pentesting
biedt ons de mogelijkheid om onze tijd zo efficiënt mogelijk te gebruiken,
waardoor het maximale aantal kwetsbaarheden kan worden gevonden. Daarnaast
sluit de Crystal-box pentest het beste aan bij de "meekijk"-optie die
<company_short/> <client_short/> biedt.
</p>
</div>