Gathering requirements
Before we can even think of starting the vulnerability assessment, it is extremely important to very clearly understand customer requirements. The customer may be internal or external to the organization. For a VA tester, it is important to know what the customer is expecting from the test. In order to identify and document the customer requirements, the following things need to be done.
Preparing a detailed checklist of test requirements
The tester needs to set up multiple meetings with the customer to understand their requirements. The outcome should include but not be limited to the following:
- Security compliance that the customer wants to comply with
- Requirements and code of conduct (if any) stated in respective security compliance
- List of network segments in scope
- List of network security devices in scoped network segments
- List of assets to scan (along with IP ranges)
- List of assets exposed to a public network (along with IP ranges)
- List of assets that have network-wide...