After vulnerability assessment, you are moving on to exploit an E-Commerce website’s prioritized vulnerabilities in a well-planned penetration testing project. As a penetration tester, which of the following risk should you consider foremost for the customer’s sake?
A. Failure of the target
B. Lack of the get-out-of-jail-free card
C. Detailed documentation of the exploitation
D. Objectivity of the evaluation of exploitation endeavor
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Failure of the target.
The purpose of penetration testing is to identify, analyze, evaluate, and exploit vulnerabilities to get insights into them and develop solutions to mitigate risk. Failure of the target may result in business loss or disrupts the delivery of products or services. Even though detailed documentation of the exploitation and objectivity of the evaluation of exploitation endeavor is important when conducting penetration testing, business always holds priority from the customer’s perspective. The penetration team should keep this in mind all the time.
The get-out-of-jail-free card is crucial to the penetration team, but this question asks the customer’s perspective or for the customer’s sake. So, The get-out-of-jail-free card is not as important to the customer.
- Get Out of Jail Free card
- Legal Issues in Penetration Testing
- Penetration Testing and the Law
- Penetration Testing by Letter of the Law
- Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded
- CEO on Pentester Arrests: ‘Heroes Not Criminals’
- New Documents About Pentesters Jailed for Courthouse Break-In
- Black Hat: When penetration testing earns you a felony arrest record
- Charges dropped against Coalfire security team who broke into courthouse during pen test
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.