The following language should be provided as an addendum to an application security statement of work requiring application scanning, penetration testing, or other invasive techniques. The goal is to protect those performing the work.
Application security verification involves techniques such as application security vulnerability scanning, application penetration testing, static analysis, and manual code review. This verification is an important part of the process of making sure that an application is properly protected against likely attacks. Additional details on what these activities typically involve can be found at http://www.owasp.org.
______________ ("Customer") hereby authorizes employees of ___________ ("Company") to conduct security verification activities of the application(s) and system(s) described below.
. . . . (provide unambiguous application/system names and brief descriptions)
The following restrictions shall apply to this authorization:
- This authorization shall be in effect from ____________ to _____________
- (Insert additional permissions and/or restrictions as appropriate)
Pursuant to granting this authorization, Customer declares that:
- Customer owns the systems to be tested and the undersigned has the proper authority to allow Company to perform application security verification activities.
- Customer has created a full backup all systems to be tested and has verified that the backup procedure will enable Customer to restore systems to their pretest state.
- The service necessarily involves the use of network tools and techniques designed to detect security vulnerabilities, and that it is impossible to identify and eliminate all the risks involved with the use of these tools and techniques.