Are we testing fountain pens? ball pens? This joke is as old as pen testing itself yet it remains funny. Of course, pen testing is a collection of actions with a specific goal in mind but what that goal is can differ from test to test and the actions as well. Generally, we know 5 phases in a pentest which we will touch on later. First, we will describe what a pen test is and try to define a set of deliverables that will help us both explain and prove our work to our clients. I want you to remember the word client very well! This is going to be your number 1 priority throughout your complete test. Let’s dive into the meaning first.
The whole goal of a pen test is so much more than just finding issues, we have to guide our clients, and provide them with adequate support and a level of coverage that will help them better understand their security situations. It all starts with the fact that our clients are often not experts in cybersecurity, they might have a general idea of the flow but they will not generally know the best course of action, that is where you come in. You are to guide your client in first determining a goal that is SMART (Specific, Measurable, Attainable, Relevant, and Timely). With this goal in mind, we can determine what actions are required to achieve their desired level of coverage and you can give them an estimation of your work that is either based on the job in total or on the number of hours you put in. This is all easier said than done because how do you determine that coverage and what is a good way of working? Thankfully we do not have to reinvent the wheel here and can turn to existing methodologies in some cases to at least give us a solid basis on which we can lean to determine our strategy.
Whatever methodology you pick, you will always be bound to a certain scope. It is important to inform yourself about this scope. YOU NEED TO COMMUNICATE. I can not stress this enough! If you are unsure about anything regarding the scope or anything else, you have to ask. To assume is to make an ass out of u and me. Be patient and don’t start randomly attacking websites, make sure your tools are also set to properly take this scope in mind. When we come to specific tools, we will talk more about this but for now, it is important to know that the scope needs to be clearly defined and approved by both parties.
At first sight, it might seem easy to be ethical but the word itself is loaded with pretends. In my opinion, we all draw the border of morality to where we would go ourselves. For example, we might think it ethical to keep data secret but is it really ethical if the data you are keeping secret is harming other people?
You have to do your due diligence and not be afraid to cut off toxic clients but that being said, you do have to put your client first generally speaking though. You have to protect them from unethical actors and from company espionage. You will have signed an NDA by now with your client (we will get back to this later) and you are to hold to this.
In general, we have a vast amount of different types of pen test. I’ll give you a bit of a summary but know that there are even more than what I have noted here: