Web Penetration Testing. Radhi ShatobЧитать онлайн книгу.
should be given about the findings:
Short name of the vulnerability.
Severity level (urgent, critical, High, Medium, low, information disclosure.
List of vulnerable assets.
Detailed explanation of the vulnerability.
Brief summary of how the vulnerability identified.
Share the references about the vulnerability.
Recommendation section: include how the owner can harden the system.
Legal Issues
Before beginning a pen-test the penetration tester and the company should enter into a contract indicating exactly what the pen-tester will do and will not do. The range of IP addresses, subnets, computers, networks or devices that will be the subject of the pen-test.
The contract should indicate not only that the pen-testing is authorized by the customer, but also the customer has the legal authority to authorize the penetration test. This very important subject specially in Cloud based systems because if the customer authorize the pen-tester to perform pen-testing on a system or application that reside in the cloud, The customer does not have the legal authority over the Cloud system and he should obtain authorization from the Cloud Service Provider first. If the Cloud Service Provider is uninformed and did not authorized the test he might go after the pen-tester for un-authorize access.
None Disclosure Agreement (NDA) is a legal contract that outline confidential material, knowledge or information that the customer will share with Pen-tester but wishes to restrict access to or by third parties because Pen-tester will learn almost everything.
Penetration Testing standards
Since Penetration testing is very important for cyber security, there are serval organizations and consortiums that documented guidelines for Penetration Testing such as:
PCI DSS: Payment Card Industry – Data Security standard.
OWASP: Open Web Application Security Project.
PTES: Penetration Testing Execution Standard.
OSSTMM: Open Source Security Testing Methodology Manual.
NIST SP 800-115: National Institute of Stand.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.