Pentesting
From Cramsession
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
Cybersecurity > Pentesting
Process
Based on the PDCA cycle
Plan
Gather documentation for the test
- Document what should be their and it's purpose.
- Open ports
- API endpoints
- Outbound connections
This established a known baseline for the system.
Do
Setup an environment for the test.
- This should be a copy of production.
- This must be isolated from all other instances. Must be on it's own subnet.
- This must not contain production data.
- provide the tester will full access to this network - normally done using a jump box.
finally:
- perform the test
Check
- Review the test results
Are they valid:
- Where all systems scanned.
- Where all ports scanned.
Document:
- Document the test results
Act
For each finding:
Patch the code:
- If you own the code - Change the code.
- If the code is in the supply chain:
- Find a patch / revised version
Mitigate the problem:
- Remove the component or feature
- Place the component behind something so it cannot be reached.
Cannot fix, assess the risk:
- What is the impact of this vulnerability.
- If it is exploited what could happen:
- Consider the CIA triad in risk analysis.
- How does the CIA triad impact the business?
