Methodology and Steps
Vocabulary
Security Assessment
Security Audit
Vulnerability Assessment
Penetration Test
External Assessment
Internal Assessment
Announced Testing
Unannounced Testing
Red Team
Blue Team
Purple Team
Testing Automation
Core Impact Pro
Codenomicon
Metasploit
CANVAS – https://www.immunityinc.com/products/canvas/index.html
Insider Threats
Pure insider
Insider associate (contractor)
Insider affiliate (spouse, friend)
Outside affiliate (not an employee, doesn’t know anyone)
The Contract
Mandatory before work
Scope
Indemnity
SLA: Service Level Agreement
Deliverables
These are mandatory elements of your post-test assessments.
-
- Executive summary
- Names and dates of testers/testing
- Findings, ordered by risk
- Analysis and suggested mitigation
- Evidence: log files, screen shots, etc.
Reporting Tools
For teams, a long-time favorite is Dradis. It lets team members collect information on a common server.
https://dradisframework.com/ce/
A video of Dradis on Windows:
Another tool that you may see mentioned on the test is MagicTree.
https://tools.kali.org/reporting-tools/magictree
Compare Dradis to MagicTree:
https://www.gremwell.com/magictree_vs_dradis
During pen testing, Cherry Tree is a good document organization platform.