Safety assessment is both a creative and methodological process. Our consultants are all experienced and innovative manual security testers with a track record in finding curvature in an application`s armor. Our robust safety testing methods are complemented by the OWASP safety test guide, standard penetration performance (PTES), OWASP ASVS and OWASP mobile security guides. Now that a Rough Order of Magnitude (RM) has been set for the project, it`s time to arrange a meeting with the client to validate assumptions. First, the areas of IP application for engagement should be explicitly defined. It is not uncommon for a customer to be resistant and assume that the tester has the right to identify and attack his network in order to make the test as realistic as possible. This would indeed be an ideal circumstance, but first and foremost, the possible legal consequences must be taken into account. That is why it is the tester`s responsibility to pass these concerns on to a client and to make them understand the importance of implicit scoping. For example, the meeting should check whether the client has all destination environments, including the DNS server, the email server, the actual hardware on which its web servers are run, and the Firewall/IDS/IPS solution. There are a number of companies that relocate the management of these devices to third parties. Many organizations want their security situation to be tested in a way that is consistent with current attacks.
In military jargon, the “rules of engagement” are the laws of war, the rules that dictate the conditions and limits in which military forces will initiate or pursue a commitment. The white box tests are where the test team provides all available information about targets, including sometimes the source code of applications, so that little or no time is spent on recognition and scanning. A grey field test would provide the test team with partial information such as application URLs, user-level documentation and/or user accounts. Stress tests or denial-of-service tests should be discussed before the operation begins. This may be a topic that many organizations are unhappy about because of the potentially harmful nature of the tests. If an organization is only concerned about the confidentiality or integrity of its data, no stress tests may be required. However, if the organization is also concerned about the availability of its services, stress tests should be conducted in a non-productive environment identical to that of production. We can agree that even if we take all the necessary precautions to do tests, sometimes the tests can go wrong, because it is to make computers do bad things.