Pentesting: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
(→Check) |
No edit summary |
||
| Line 41: | Line 41: | ||
* perform the test | * perform the test | ||
== Check == | == Check == | ||
| Line 57: | Line 58: | ||
* Document the test results | * Document the test results | ||
== Act == | == Act == | ||
| Line 70: | Line 72: | ||
::* Find a patch / revised version | ::* Find a patch / revised version | ||
| Line 90: | Line 93: | ||
::* How does the CIA triad impact the business? | ::* How does the CIA triad impact the business? | ||
= Tools = | = Tools = | ||
Revision as of 20:41, 16 May 2025
Cybersecurity > Pentesting
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
Patch the code:
- If you own the code - Change the code.
- If the code is in the supply chain:
- Find a patch / revised version
Mitigate the problem:
- Remove the component or feature
- Place the component behind something so it cannot be reached.
Cannot fix, assess the risk:
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
