On the Perl Jobs mailing list, a job for a security audit of a mod_perl site was listed (the job is no longer in the database, though). While that seems straightfoward, the following information was supplied:
Audit the nlp.petamem.com pages which are written in perl (using mod_perl2) for security problems and other faults. You cannot have direct access to the site code, but we will provide you with all technical informations you need for auditing.
I've done white box security audits of code, but never something like this. Am I completely missing something? Do you even need to know Perl if you're not allowed to look at the code? How the heck can you "audit" something you're not allowed to see? The only thing I can think of is to spider the site and start throwing malformed input at everything and see what breaks. That's hardly an audit and would likely miss many problems. Are requests like this common in the security world? I know that penetration tests aren't uncommon, but asking for an audit of code you're not allowed to see is a different beast altogether.