Índice
Índice
Índice
Título
Título
Título

Filosofia

Delimiting an ethical hacking: How to define the scope of your objectives

cover-delimit-ethical-hacking (https://unsplash.com/photos/SpVHcbuKi6E)
cover-delimit-ethical-hacking (https://unsplash.com/photos/SpVHcbuKi6E)
cover-delimit-ethical-hacking (https://unsplash.com/photos/SpVHcbuKi6E)
cover-delimit-ethical-hacking (https://unsplash.com/photos/SpVHcbuKi6E)
Felipe Gómez

NOLA Regional Director

Atualizado

9 de jan. de 2018

1 min

The main problem encountered by an organization when they need to perform an Ethical Hacking is to establish the boundaries of the hacking.

Delimiting the scope of an Ethical Hacking by time is a common mistake since it is not possible to know when the hacking, that is measured solely by effort, has ended nor whether the results were satisfactory or if it was just a big waste of time and resources that left no valuable knowledge to the organization.

There are two objectives to evaluate in an Ethical Hacking, infrastructure and application. These two can be evaluated in an already deployed environment or in a development one, analyzing the source code.

If what the organization wants is to identify vulnerabilities in their applications (web/mobile) and web services based on the needs and context of the business, in order to generate the biggest business impact possible, an Ethical Hacking of Applications should be done.

If what the organization wants is to detect security flaws directly in the development, identifying bad programming practices and intentional errors in the source code that can affect the proper functioning of the system, a Source Code Analysis should be done.

Finally, if what is needed are attacks on the underlying infrastructure of the systems (Network services/OS), looking to exploit specific vulnerabilities of the implemented technology, an Ethical Hacking of the Infrastructure should be done.

Once the type of attack to be performed is decided, the Target of Evaluation or ToE has to be determined based on three items.

  • Number of Ports, If what is going to be evaluated is Infrastructure.

  • Number of Input Fields, If the target of the attack is the application.

  • Lines of Code, If the risks associated to the development wished to be determined.

Once these scopes are set and clear, one can be assured that everything related to that technology will be attacked, as opposed to delimitations that are set based on execution time with automated tools that only exploit a small percentage of the reported vulnerabilities.

At Fluid Attacks, our value proposition goes hand in hand with meeting the promised scope, never based on time. Our Ethical Hacking is to be finished when we have evaluated the complete target of evaluation.

Get started with Fluid Attacks' PTaaS right now

Tags:

hacking

pentesting

teste-de-seguranca

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.