After vulnerability assessment, you are moving on to exploit an E-Commerce website’s prioritized vulnerabilities in a well-planned penetration testing project. As a penetration tester, which of the following risk should you consider foremost for the customer’s sake?
A. Failure of the target
B. Lack of the get-out-of-jail-free card
C. Detailed documentation of the exploitation
D. Objectivity of the evaluation of exploitation endeavor

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Failure of the target.

The purpose of penetration testing is to identify, analyze, evaluate, and exploit vulnerabilities to get insights into them and develop solutions to mitigate risk. Failure of the target may result in business loss or disrupts the delivery of products or services. Even though detailed documentation of the exploitation and objectivity of the evaluation of exploitation endeavor is important when conducting penetration testing, business always holds priority from the customer’s perspective. The penetration team should keep this in mind all the time.

The get-out-of-jail-free card is crucial to the penetration team, but this question asks the customer’s perspective or for the customer’s sake. So, The get-out-of-jail-free card is not as important to the customer.

Reference

• Get Out of Jail Free card
• Legal Issues in Penetration Testing
• Penetration Testing and the Law
• Penetration Testing by Letter of the Law
• Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded
• CEO on Pentester Arrests: ‘Heroes Not Criminals’
• New Documents About Pentesters Jailed for Courthouse Break-In
• Black Hat: When penetration testing earns you a felony arrest record
• Charges dropped against Coalfire security team who broke into courthouse during pen test

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

弱點評鑑之後，您將繼續在具有良好規畫的滲透測試專案中，對一個電子商務網站已排定優先順序的漏洞進行滲透。 作為滲透測試人員，若為客戶著想，您應優先考慮以下哪項風險？
A. 測試目標失效
B. 缺少免責同意書
C. 滲透過程的詳細文件記錄
D. 滲透難易度評估的客觀性