Pentesting: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
|||
| Line 2: | Line 2: | ||
Based on the PDCA cycle | Based on the PDCA cycle | ||
== Plan == | == Plan == | ||
| Line 17: | Line 19: | ||
This established a known baseline for the system. | This established a known baseline for the system. | ||
== Do == | == Do == | ||
| Line 49: | Line 53: | ||
* Document the test results | * Document the test results | ||
== Act == | == Act == | ||
Revision as of 20:40, 9 May 2025
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This 'must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
- Patch the code - if the onus is on you!
- Find a patch for the code - if the problem came from the supply chain.
- Mitigate the problem.
- Remove the component or feature
- Place the component behind something so it cannot be reached.
- Assess the risk
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
