Awesome-Mirrors/cyber-security-resources
1
0
Fork 0
mirror of https://github.com/The-Art-of-Hacking/h4cker.git synced 2024-10-01 01:25:43 -04:00
Code Issues Packages Projects Releases Wiki Activity

Create scoping.md

Browse Source
This commit is contained in:
Omar Santos 2023-10-12 11:27:54 -04:00 committed by GitHub
parent bbd31319d6
commit a25ba9cdfb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
methodology/scoping.md Normal file
View File

@ -0,0 +1,59 @@
Certainly! Planning and scoping are critical steps in a penetration testing assessment to ensure that the test achieves its objectives while minimizing risks. Here's how you might go about it:
### Planning Phase
#### Initial Client Meeting
- **Objective**: Understand what the client aims to achieve with the penetration test.
- **Key Questions**:
- What are the key assets you're concerned about?
- What types of attacks or threats are you most concerned with?
- Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?
#### Documentation Review
- **Objective**: Review existing documentation to understand the network topology, application architecture, and other relevant details.
- **Key Deliverables**:
- Network diagrams
- Application architecture diagrams
- Previous vulnerability assessments or pen test reports
#### Legal and Compliance Checks
- **Objective**: Ensure that all legal requirements are met and permissions are granted.
- **Key Deliverables**:
- Signed contract
- Non-disclosure agreement (NDA)
- Permission to test forms
### Scoping Phase
#### Define Scope
- **Objective**: Clearly outline what is in-scope and out-of-scope.
- **Key Deliverables**:
- List of target IP addresses
- List of target applications
- User roles for testing authenticated areas
#### Determine Timeframe
- **Objective**: Decide the duration of the test.
- **Key Questions**:
- When will the test start and end?
- Are there any blackout periods during which testing should not occur?
#### Resource Allocation
- **Objective**: Decide who will perform the test and what tools will be used.
- **Key Deliverables**:
- Names and credentials of the penetration testers
- List of tools that will be used
#### Success Criteria
- **Objective**: Define what will constitute a successful test.
- **Key Deliverables**:
- Expected outcomes
- Metrics for success (e.g., percentage of high-risk vulnerabilities identified)
#### Finalize Plan
- **Objective**: Consolidate all the above information into a formal test plan.
- **Key Deliverables**:
- Penetration Test Plan document
- Client approval on the plan
By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.