mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-18 10:56:09 +00:00
Create scoping.md
This commit is contained in:
parent
bbd31319d6
commit
a25ba9cdfb
59
methodology/scoping.md
Normal file
59
methodology/scoping.md
Normal file
@ -0,0 +1,59 @@
|
||||
Certainly! Planning and scoping are critical steps in a penetration testing assessment to ensure that the test achieves its objectives while minimizing risks. Here's how you might go about it:
|
||||
|
||||
### Planning Phase
|
||||
|
||||
#### Initial Client Meeting
|
||||
- **Objective**: Understand what the client aims to achieve with the penetration test.
|
||||
- **Key Questions**:
|
||||
- What are the key assets you're concerned about?
|
||||
- What types of attacks or threats are you most concerned with?
|
||||
- Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?
|
||||
|
||||
#### Documentation Review
|
||||
- **Objective**: Review existing documentation to understand the network topology, application architecture, and other relevant details.
|
||||
- **Key Deliverables**:
|
||||
- Network diagrams
|
||||
- Application architecture diagrams
|
||||
- Previous vulnerability assessments or pen test reports
|
||||
|
||||
#### Legal and Compliance Checks
|
||||
- **Objective**: Ensure that all legal requirements are met and permissions are granted.
|
||||
- **Key Deliverables**:
|
||||
- Signed contract
|
||||
- Non-disclosure agreement (NDA)
|
||||
- Permission to test forms
|
||||
|
||||
### Scoping Phase
|
||||
|
||||
#### Define Scope
|
||||
- **Objective**: Clearly outline what is in-scope and out-of-scope.
|
||||
- **Key Deliverables**:
|
||||
- List of target IP addresses
|
||||
- List of target applications
|
||||
- User roles for testing authenticated areas
|
||||
|
||||
#### Determine Timeframe
|
||||
- **Objective**: Decide the duration of the test.
|
||||
- **Key Questions**:
|
||||
- When will the test start and end?
|
||||
- Are there any blackout periods during which testing should not occur?
|
||||
|
||||
#### Resource Allocation
|
||||
- **Objective**: Decide who will perform the test and what tools will be used.
|
||||
- **Key Deliverables**:
|
||||
- Names and credentials of the penetration testers
|
||||
- List of tools that will be used
|
||||
|
||||
#### Success Criteria
|
||||
- **Objective**: Define what will constitute a successful test.
|
||||
- **Key Deliverables**:
|
||||
- Expected outcomes
|
||||
- Metrics for success (e.g., percentage of high-risk vulnerabilities identified)
|
||||
|
||||
#### Finalize Plan
|
||||
- **Objective**: Consolidate all the above information into a formal test plan.
|
||||
- **Key Deliverables**:
|
||||
- Penetration Test Plan document
|
||||
- Client approval on the plan
|
||||
|
||||
By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.
|
Loading…
Reference in New Issue
Block a user