h4cker/methodology/scoping.md
2023-10-12 11:28:58 -04:00

2.2 KiB

Planning and Scoping a Penetration Testing Assessment

Planning Phase

Initial Client Meeting

  • Objective: Understand what the client aims to achieve with the penetration test.
  • Key Questions:
    • What are the key assets you're concerned about?
    • What types of attacks or threats are you most concerned with?
    • Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?

Documentation Review

  • Objective: Review existing documentation to understand the network topology, application architecture, and other relevant details.
  • Key Deliverables:
    • Network diagrams
    • Application architecture diagrams
    • Previous vulnerability assessments or pen test reports
  • Objective: Ensure that all legal requirements are met and permissions are granted.
  • Key Deliverables:
    • Signed contract
    • Non-disclosure agreement (NDA)
    • Permission to test forms

Scoping Phase

Define Scope

  • Objective: Clearly outline what is in-scope and out-of-scope.
  • Key Deliverables:
    • List of target IP addresses
    • List of target applications
    • User roles for testing authenticated areas

Determine Timeframe

  • Objective: Decide the duration of the test.
  • Key Questions:
    • When will the test start and end?
    • Are there any blackout periods during which testing should not occur?

Resource Allocation

  • Objective: Decide who will perform the test and what tools will be used.
  • Key Deliverables:
    • Names and credentials of the penetration testers
    • List of tools that will be used

Success Criteria

  • Objective: Define what will constitute a successful test.
  • Key Deliverables:
    • Expected outcomes
    • Metrics for success (e.g., percentage of high-risk vulnerabilities identified)

Finalize Plan

  • Objective: Consolidate all the above information into a formal test plan.
  • Key Deliverables:
    • Penetration Test Plan document
    • Client approval on the plan

By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.