Afternoon
I am not a teacher/lawyer but I would say that if any of your students
use any of these tools in anger on the premises of where they are being
taught, that you will be liable regardless of whether they sign a
waiver or not. If they do use these tools outside the premises you would
not be liable.
If you train someone how to fire a pistol accurately - are you
responsible for them acquiring a stolen firearm and then taking
someone's life?
Have you had a look at the Computers Misuse Act 1990
http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
If the students are attempting to gain access to DATA without
permission, they are breaking the law.
1.-(1) A person is guilty of an offence if-
(a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
This is not legal advice, just my opinion. My two pence worth.
Regards
Jason Gregson
-----Original Message-----
From: Stephen de Vries [mailto:stephen@corsaire.com]
Sent: 08 December 2005 08:55
To: James Strassburg
Cc: webappsec@securityfocus.com
Subject: Re: Security training of developers and company liability
I used to be a trainer on the ISS Ethical Hacking course in the UK
and it was standard practice to have the delegates sign a waiver that
they would only use their new powers in defense of the empire.
Not sure whether this was strictly necessary in the UK, it could have
been a knee jerk reaction from the US legal department.
It rarely hurts to play it safe.
cheers,
Stephen
On 7 Dec 2005, at 23:51, James Strassburg wrote:
I am currently training all of my organization's software
developers on
web application security. I'm using WebScarab and WebGoat as my
primary
teaching tools as I feel that seeing how the problems are exploited is
much more effective than trying to cover every type of coding mistake
that can lead to the problems. My question is about company
liability.
What if one of the developers used the information learned to attack
another site? Is my company liable for their actions as we taught
them
how to do it? Should I have our legal department create a
disclaimer or
waiver for them to sign?
I will be asking the same questions directly to our legal
department but
thought a discussion here could provide some more insight and be
valuable for others. thanks.
James A. Strassburg Jr.
Software Security Architect
Direct Supply, Inc.
________________________________________________________________________
______
This email was scanned for all viruses by our Security Systems on
entering the Easy i network.
For more information on this scanning, please contact Easy i.
________________________________________________________________________
______
