Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/17/2020
10:45 AM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

7 Ways to Get the Most Out of a Penetration Test

You'll get the best results when you're clear on what you want to accomplish from a pen test.
2 of 8

 Develop targeted goals for the engagement. 
Hay, whose firm offers pen testing services, says companies need to be very clear what they want from their third-party penetration tester. It doesn't make any sense for the company to have all its systems, servers, and applications tested. It's better to tell the pen tester to run a test on two or three specific external IP addresses, and then focus on the most important Web app. For example, a healthcare company might want to focus on medical data. And banks will want to key in on financial data.    

Quentin Rhoads, director of professional services at Critical Start, adds that companies need to identify the scope: how many servers to test and the number of Web apps. Armed with that information, the pen tester can offer a realistic price and set goals they can meet. 


Image Source: Adobe Stock: Leowolfert

Develop targeted goals for the engagement.

Hay, whose firm offers pen testing services, says companies need to be very clear what they want from their third-party penetration tester. It doesn't make any sense for the company to have all its systems, servers, and applications tested. It's better to tell the pen tester to run a test on two or three specific external IP addresses, and then focus on the most important Web app. For example, a healthcare company might want to focus on medical data. And banks will want to key in on financial data.

Quentin Rhoads, director of professional services at Critical Start, adds that companies need to identify the scope: how many servers to test and the number of Web apps. Armed with that information, the pen tester can offer a realistic price and set goals they can meet.

Image Source: Adobe Stock: Leowolfert

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Why Companies Should Care about Data Privacy Day
Brad Shimmin, Distinguished Analyst,  1/29/2020
Number of Botnet Command & Control Servers Soared in 2019
Jai Vijayan, Contributing Writer,  1/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2802
PUBLISHED: 2020-02-04
An Information Disclosure vulnerability exists in HP SiteScope 11.2 and 11.3 on Windows, Linux and Solaris, HP Asset Manager 9.30 through 9.32, 9.40 through 9.41, 9.50, and Asset Manager Cloudsystem Chargeback 9.40, which could let a remote malicious user obtain sensitive information. This is the TL...
CVE-2019-10786
PUBLISHED: 2020-02-04
network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument.
CVE-2019-10787
PUBLISHED: 2020-02-04
im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization.
CVE-2019-10788
PUBLISHED: 2020-02-04
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
CVE-2019-12528
PUBLISHED: 2020-02-04
An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes.