Process

Based on the PDCA cycle

Plan

Gather documentation for the test

• Document what should be their and it's purpose.

• Open ports

• API endpoints

• Outbound connections

This established a known baseline for the system.

Do

Setup an environment for the test.

• This should be a copy of production.

• This must be isolated from all other instances. Must be on it's own subnet.

• This 'must not contain production data.

• provide the tester will full access to this network - normally done using a jump box.

finally:

• perform the test

Check

• Review the test results

Are they valid:

• Where all systems scanned.

• Where all ports scanned.

Document:

• Document the test results

Act

For each finding:

• Patch the code - if the onus is on you!

• Find a patch for the code - if the problem came from the supply chain.

• Mitigate the problem.

• Remove the component or feature

• Place the component behind something so it cannot be reached.

• Assess the risk

• What is the impact of this vulnerability.

• If it is exploited what could happen:

• Consider the CIA triad in risk analysis.

• How does the CIA triad impact the business?

Tools

ZAP Proxy

Nmap

Scanning web servers

BURP Suite