So guys, todays blog is very important and informative. Today's topic is what
actually happens in a real life penetration testing.
There are so much rules and regulations for a beginner pen
tester in a company. So in today's blog, I will share the steps which you have
to follow while doing a pen test.
What are the steps when you work in a real company as pen
tester ? So, if you want to read this blog till the end. Let's begin.
Firstly a proper aggrement is made defining you scope which contains what you can do and what you
can't.
Company may specify that you can't use
automated tools and sometimes you have exploit mannually No restriction on programming, you can make any programme and you can use it.
Now a interesting thing, if you run a pen testing company and
doing a pen testing engagement, your client can't change or deploy anything
and this is the part of the rule. Suppose you have found all the
vulnerabilities and made a proper report, the pen testing company will submit
their client a red card.
This is basically a red certificate saying that they have
completed the pen test and submited the report. After that, client has 30 days
to fix all the vulnerabilities. When it get fixed, the client will inform the
pen test company. The pen testing company will again test the client's server
using the same methods as before. If all the vulnerablilities get pached, the
pen test company will issue a green certificate.
Now, lets
come to rules. This specificly for Europian countries. A
GDPR list is there to mesaure all the rate of
vulnerabilities, so if somehow employe's data get leaked, government will charge the company
and incase of any critical vulnerablities found, the company will have to do a
pen test again in 2 months. This rule is for Europian countries.
Brought to you by Hacking Truth
Hope you remember I told you, once a pen test is done,
client has only 1 months to patch all the vulnerablities. If client doesn't
response in that time, and if the pen test company finds a new bug on the 31st
day, they will charge client company. thats a rule too.
Now if pen test is done and a bug is found within
the 3 months of the previous pen test, they can't submit it, otherwise they
will face legal consiquences. Because, if a new bug comes out within 3 months, it is considered that they
knew it but didn't disclosed it. Thus legal problems can occur. There is a
discloser policy where you can not share any pen test report
within 3 months. You can not share anything regarding it. So many rules are
there. It totaly depends countrywise and companywise.
Hope you liked today's blog and don't forget to share. You can't
find these type of blog anywhere else. Its a very unknown topic. I would also
like to give a big shoutout to Trident Security.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal
0 comments:
Post a Comment
For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.