官术网_书友最值得收藏!

Part II. Penetration Testers Armory

Chapter 3. Target Scoping

Target Scoping is defined as an empirical process for gathering target assessment requirements and characterizing each of its parameters to generate a test plan, limitations, business objectives, and time schedule. This process plays an important role in defining clear objectives towards any kind of security assessment. By determining these key objectives one can easily draw a practical roadmap of what will be tested, how it should be tested, what resources will be allocated, what limitations will be applied, what business objectives will be achieved, and how the test project will be planned and scheduled. Thus, we have combined all of these elements and presented them in a formalized scope process to achieve the required goal. Following are the key concepts which will be discussed in this chapter:

  • Gathering client requirements deals with accumulating information about the target environment through verbal or written communication.
  • Preparing test plan depends on different sets of variables. These may include shaping the actual requirements into structured testing process, legal agreements, cost analysis, and resource allocation.
  • Profiling test boundaries determines the limitations associated with the penetration testing assignment. These can be a limitation of technology, knowledge, or a formal restriction on the client's IT environment.
  • Defining business objectives is a process of aligning business view with technical objectives of the penetration testing program.
  • Project management and scheduling directs every other step of the penetration testing process with a proper timeline for test execution. This can be achieved by using a number of advanced project management tools.

It is highly recommended to follow the scope process in order to ensure test consistency and greater probability of success. Additionally, this process can also be adjusted according to the given situation and test factors. Without using any such process, there will be a greater chance of failure, as the requirements gathered will have no proper definitions and procedures to follow. This can lead the whole penetration testing project into danger and may result in unexpected business interruption. Paying special attention at this stage to the penetration testing process would make an excellent contribution towards the rest of the test phases and clear the perspectives of both technical and management areas. The key is to acquire as much information beforehand as possible from the client to formulate a strategic path that reflects multiple aspects of penetration testing. These may include negotiable legal terms, contractual agreement, resource allocation, test limitations, core competencies, infrastructure information, timescales, and rules of engagement. As a part of best practices, the scope process addresses each of the attributes necessary to kickstart our penetration testing project in a professional manner.

As we can see in the preceding screenshot, each step constitutes unique information that is aligned in a logical order to pursue the test execution successfully. Remember, the more information that is gathered and managed properly, the easier it will be for both the client and the penetration testing consultant to further understand the process of testing. This also governs any legal matters to be resolved at an early stage. Hence, we will explain each of these steps in more detail in the following section.

主站蜘蛛池模板: 庆云县| 吉安县| 桦甸市| 罗源县| 昌吉市| 慈溪市| 青河县| 秦皇岛市| 嘉义县| 海门市| 盖州市| 黑水县| 潼关县| 玛沁县| 西吉县| 宜君县| 安岳县| 焦作市| 青岛市| 阿尔山市| 岢岚县| 云南省| 周至县| 朝阳区| 德格县| 长兴县| 竹山县| 育儿| 界首市| 宣城市| 孝义市| 诸城市| 永州市| 长春市| 崇州市| 恭城| 承德市| 高安市| 新巴尔虎右旗| 金川县| 宜城市|