Part 11 - Best Practices
Video Activity
In this second video on web app pentesting best practices, we discuss the important issue of when to test. This is important since the customer's operations can be negatively impacted as a result of your testing. In the agreement discussed in the previous video about gaining permission, you will also need to specify when you will be testing. Testin...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
In this second video on web app pentesting best practices, we discuss the important issue of when to test. This is important since the customer's operations can be negatively impacted as a result of your testing. In the agreement discussed in the previous video about gaining permission, you will also need to specify when you will be testing. Testing that places a large load on a system should be performed off-hours, most typically at night. However, certain types of tests will need to be performed during normal operating hours in order to identify if the customer is capable of detecting various kinds of attacks by way of their intrusion detection system.
Video Transcription
00:03
>> When to test is
00:03
an important consideration as
00:03
well for when you're pen-testing.
00:03
This should be placed in the agreement
00:03
that is made prior to testing.
00:03
Because when to test is just as
00:03
important as what to test for,
00:03
for a few reasons,
00:03
testing that places a large load on
00:03
a system should be done at night.
00:03
If the system goes down,
00:03
it gives a customer time to bring it
00:03
back up before normal operating hours.
00:03
This helps reduce the risk of
00:03
the individual or customer who you're
00:03
testing for from losing money.
00:03
If you take down a system or
00:03
a website that is used to generate revenue.
00:03
If a web application is
00:03
developed correctly, it could take a beating.
00:03
However, not all web applications are
00:03
developed to handle large amounts of malicious traffic.
00:03
However, there are certain
00:03
types of tests that should be done
00:03
during normal operating hours.
00:03
This can be used to identify if
00:03
the customers can catch the attack itself.
00:03
If they don't have a lockout policy,
00:03
for example, for passwords,
00:03
the time that you would want to do
00:03
a brute force attack would be during operating hours.
00:03
It's not going to place a large load on the system.
00:03
This is something you will want to
00:03
know if they can identify with
00:03
their intrusion detection system that
00:03
they should have in place for their web application.
00:03
Setting up times to reduce the load
00:03
and to help prevent a system from going down,
00:03
makes a customer view you as
00:03
somebody who is going
00:03
to be very careful on their network.
00:03
One of the things that you're going to come
00:03
across when you are working with
00:03
individuals is their lack of
00:03
understanding of exactly what
00:03
you will be doing on their network.
00:03
This will cause them to be very apprehensive.
00:03
However, if you place things like
00:03
specific testing times for
00:03
different forms of tests and the agreement,
00:03
it causes people to view you
00:03
as someone who's going to be safe on their network.
00:03
Many times you will have to work with systems that are
00:03
utilized and maintained by multiple departments.
00:03
It is important to develop relations
00:03
with all departments that you're testing
00:03
will affect if you fail to do so and something happens,
00:03
such as the web application
00:03
crashing departments that are unsure of you
00:03
may become aggressive and try to blame you even if
00:03
you haven't begun testing yet.
00:03
This is something I've seen myself
00:03
when going into perform a web application test.
00:03
You will go to
00:03
the organization and start performing your tests.
00:03
You'll start getting individuals from other departments
00:03
whose systems interact with the web application,
00:03
who start becoming very
00:03
aggressive and watching everything you do.
00:03
Developing relationships weeks prior,
00:03
or in some cases,
00:03
you may not have weeks,
00:03
days or a week prior with
00:03
these other departments is very
00:03
critical to your success and
00:03
very critical to your web pen test
00:03
going smoothly and with less headaches.
00:03
Organize some conference call with them all or call
00:03
a person or two from the different departments
00:03
who you may be affecting.
00:03
Give them an understanding of
00:03
exactly what you will be doing.
00:03
Tell them what your test will do to that network or to
00:03
that system and ask them if they have any concerns,
00:03
answer any questions that they may want answered,
00:03
put their minds at ease.
00:03
Because when you go into that network,
00:03
if you don't have
00:03
good relationships with all of the departments that you
00:03
may be affecting it's going to be
00:03
a very aggressive environment when you go in there.
00:03
Then it may be very hard for you to get access to
00:03
an area of that system that you may need access to.
00:03
If you need to get into a certain part of the building
00:03
that houses a server and
00:03
your contact who initially
00:03
hired you isn't available at that moment.
00:03
But there is somebody who is able
00:03
to get you into that area.
00:03
If you don't have a good relationship with them,
00:03
then your testing is
00:03
effectively going to be on hold at that point.
00:03
For the customer you zooming around and doing
00:03
nothing is just going to look really bad on you.
00:03
Developing those relationships is
00:03
going to make things very
00:03
easy for you when you go to test
00:03
somewhere. What was covered?
00:03
We discussed gaining permission and
00:03
the stuff that you're going to need
00:03
to put into the agreement.
00:03
We also discussed building reports and we talked
00:03
about the items that
00:03
are critical for the customer to know.
00:03
We also discussed when to test and talked about how you
00:03
want to put less of a load on the network as possible.
00:03
We also discussed working with other departments and
00:03
establishing good relationships with
00:03
them prior to going in and testing.
00:03
This portion of web pen-testing can
00:03
keep you safe and make things go very easy for you.
00:03
Remember this stuff prior to going in
00:03
testing, happy hacking everyone.
Up Next
Instructed By
Similar Content
