Pentesting: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
(→Act) |
(→Act) |
||
| Line 61: | Line 61: | ||
For each finding: | For each finding: | ||
Patch the code: | |||
:* If you own the code - Change the code. | :* If you own the code - Change the code. | ||
| Line 71: | Line 71: | ||
Mitigate the problem: | |||
:* Remove the component or feature | :* Remove the component or feature | ||
| Line 78: | Line 80: | ||
Cannot fix, assess the risk: | |||
:* What is the impact of this vulnerability. | :* What is the impact of this vulnerability. | ||
Revision as of 20:18, 16 May 2025
Cybersecurity > Pentesting
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
Patch the code:
- If you own the code - Change the code.
- If the code is in the supply chain:
- Find a patch / revised version
Mitigate the problem:
- Remove the component or feature
- Place the component behind something so it cannot be reached.
Cannot fix, assess the risk:
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
