So guys, todays blog is very important and informative. Today's topic is what actually happens in a real life penetration testing.
There are so much rules and regulations for a beginner pen tester in a company. So in today's blog, I will share the steps which you have to follow while doing a pen test.
What are the steps when you work in a real company as pen tester ? So, if you want to read this blog till the end. Let's begin.
Firstly a proper aggrement is made defining you scope which contains what you can do and what you can't.
Company may specify that you can't use automated tools and sometimes you have exploit mannually No restriction on programming, you can make any programme and you can use it.
Now a interesting thing, if you run a pen testing company and doing a pen testing engagement, your client can't change or deploy anything and this is the part of the rule. Suppose you have found all the vulnerabilities and made a proper report, the pen testing company will submit their client a red card.
This is basically a red certificate saying that they have completed the pen test and submited the report. After that, client has 30 days to fix all the vulnerabilities. When it get fixed, the client will inform the pen test company. The pen testing company will again test the client's server using the same methods as before. If all the vulnerablilities get pached, the pen test company will issue a green certificate.
Now, lets come to rules. This specificly for Europian countries. A GDPR list is there to mesaure all the rate of vulnerabilities, so if somehow employe's data get leaked, government will charge the company and incase of any critical vulnerablities found, the company will have to do a pen test again in 2 months. This rule is for Europian countries.
Brought to you by Hacking Truth
Hope you remember I told you, once a pen test is done, client has only 1 months to patch all the vulnerablities. If client doesn't response in that time, and if the pen test company finds a new bug on the 31st day, they will charge client company. thats a rule too.
Now if pen test is done and a bug is found within the 3 months of the previous pen test, they can't submit it, otherwise they will face legal consiquences. Because, if a new bug comes out within 3 months, it is considered that they knew it but didn't disclosed it. Thus legal problems can occur. There is a discloser policy where you can not share any pen test report within 3 months. You can not share anything regarding it. So many rules are there. It totaly depends countrywise and companywise.
Hope you liked today's blog and don't forget to share. You can't find these type of blog anywhere else. Its a very unknown topic. I would also like to give a big shoutout to Trident Security.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal