SBN

Rules of Engagement in Pentesting

When you create a software product or build a service or create a platform, it’s a good idea to make sure it is secure. The data we generate is feeding the cybercriminal appetite to the point that cybersecurity attacks are normalized. To check we have created robustly secure systems, we can turn to the discipline of Pentesting.

What is Pentesting?

Penetration testing, or pentesting for short is a discipline that has been around in one form or another for decades. It is a method used to look for security vulnerabilities in an IT system, such as a web application or online service. Usually, a pentest is carried out by security specialists who probe the system in question, acting as a cybercriminal would, to find flaws and ‘ways in’.

OWASP has created a set of industry standard testing guides for the discipline. They also produce their ‘Top Ten’ series of vulnerabilities to help focus tests on core known vulnerabilities. In addition, the Penetration Testing Execution Standard (PTES) published the ‘Pentest Standard’ which goes through the seven main areas that the process of pentesting uses: This includes intelligence gathering, vulnerability analysis, and reporting.

All in all, pentesting is a skilled job that requires high levels of attention to detail and a deep knowledge of IT system security. It is also, however, by its very nature, a job that requires an individual to have intimate knowledge of sensitive data and entry to normally restricted areas of a company. Pentesting requires a company to have a deep level of trust in the company and individuals carrying out the pentests.

This leads to the main discussion point…do we need rules of engagement and codes of conduct in pentesting?

A Tale of Two Pentesters

The ethical issues of pentesting can be complicated and the waters muddy. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/asSIGFbsudU/