Penetration Testing mailing list archives

Re: Penetration testing scope/outline

From: josh () dyadsecurity com
Date: Tue, 5 Oct 2004 13:35:40 -0700

Hi,
The scope of work in a penetration/security test is defined contractually before the start of the test and reflects an 
agreement between you and your customer regarding what work they want you to do and things like the times of day you 
are allowed to be running the test. An example of this is if they already know they are vulnerable to SQL Injection, 
they probably don't want you to be spending the entirety of the test owning them with SQL Injection because it's a 
problem they have already assessed and you would be providing them no value by doing so. The scope will vary from 
customer to customer so you can't set yourself up wrong off the bat by defining what you do during a pen-test before 
the dance of the mighty contracts. 

For documentation outlining a lot of what you might be looking for, I'd recommend you check out the Open Source 
Security Testing Methodology Manual (OSSTMM) at www.isecom.org. I expect it should be helpful.
-Josh


Billy Dodson(CraftedPacket () securitynerds org)@Tue, Oct 05, 2004 at 02:45:04PM -0000:

Anyone have any documents they are willing to share on the scope of work
for a pen-test?  I have looked online but was unable to find any available
documentation.  If anyone could provide me with a some links or
documentation outlining a pen-test/network audit it would be greatly
appreciated.

------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat

When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To 
learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, 
download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security 
technology. 

http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------


-- 
Josh Zelonis
Security Research, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - josh () dyadsecurity com

------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat

When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To 
learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, 
download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security 
technology. 

http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------

Current thread:

Penetration testing scope/outline Billy Dodson (Oct 05)
- Re: Penetration testing scope/outline Jose Maria Lopez (Oct 05)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 05)
- Re: Penetration testing scope/outline josh (Oct 05)
- Re: Penetration testing scope/outline Nathan Sportsman (Oct 05)
- Re: Penetration testing scope/outline JM (Oct 05)
- Re: Penetration testing scope/outline Anders Thulin (Oct 06)
  - Re: Penetration testing scope/outline robert (Oct 08)
  - RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
    - Re: Penetration testing scope/outline Anders Thulin (Oct 08)
    - RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- RE: Penetration testing scope/outline Tate Hansen (Oct 08)