--- name: penetration-testing-vulnerability description: Conduct and manage penetration testing programs including external and internal assessments, web application testing, API security testing, cloud infrastructure testing, red team exercises, and social engineering assessments. Use when scheduling penetration tests, defining scope, managing third-party testers, tracking remediation, preparing pentest reports, establishing testing frequency, or building internal pentesting capabilities. Triggers on phrases like "penetration testing", "pentest", "vulnerability assessment", "red team", "ethical hacking", "security assessment", "bug bounty", "web app testing", "API security testing", "cloud security assessment", "social engineering test", "pen test scope", "remediation tracking". --- # Penetration Testing & Vulnerability Assessment Comprehensive penetration testing program management including external/internal network testing, web application assessment, API security testing, cloud infrastructure evaluation, and red team exercises. ## Workflow 1. Define annual penetration testing program: frequency, scope, methodology, budget, and compliance requirements (PCI-DSS, SOC 2, ISO 27001, HIPAA each have specific requirements). 2. Establish testing scope: in-scope assets (external perimeter, internal network, web apps, APIs, cloud environments, mobile apps), out-of-scope assets (production databases without staging equivalent, third-party systems), rules of engagement. 3. Select testing approach: black box (no prior knowledge), gray box (partial knowledge, typical user credentials), white box (full source code and architecture access). 4. Engage qualified testers: verify certifications (OSCP, OSCE, GPEN, GWAPT, CRTP), check references, ensure cyber liability insurance, sign NDA and RFP. 5. Prepare testing environment: staging environments mirroring production, test accounts with realistic data (anonymized), monitoring tools to detect test activity. 6. Execute testing: testers perform reconnaissance, scanning, exploitation, post-exploitation, privilege escalation, and lateral movement within agreed scope and time window. 7. Receive and triage findings: vulnerability report with CVSS scores, proof-of-concept evidence, business impact assessment, remediation recommendations. 8. Remediate findings: prioritize by severity and business risk; assign to engineering teams; track in vulnerability management system; target remediation SLAs by severity. 9. Conduct retest: verify remediation effectiveness; confirm vulnerabilities resolved; document any remaining risks with risk acceptance. 10. Report and archive: executive summary for leadership; technical details for engineering; compliance evidence for auditors; archive reports for 3+ years. ## Testing Types and Scope Definition ``` PENETRATION TESTING TYPES =========================== EXTERNAL NETWORK PENETRATION TEST: Scope: Internet-facing assets only → Public IP addresses and ranges → DNS records and subdomains → Public-facing applications and APIs → Email servers (SMTP, IMAP, POP3) → VPN concentrators → CDN endpoints Methodology: → Reconnaissance: Passive OSINT, DNS enumeration, subdomain discovery, technology fingerprinting → Scanning: Port scanning (full TCP, SYN scan), service identification, banner grabbing → Exploitation: Known vulnerabilities (CVEs), misconfigurations, default credentials, weak SSL/TLS → Post-exploitation: Privilege escalation, lateral movement from initial foothold, data access attempt → Reporting: All findings documented with evidence and remediation steps Frequency: Semi-annual (required by PCI-DSS); annual minimum for most compliance frameworks Duration: 5-10 business days Cost range: $15,000–$50,000 (depends on scope and firm) INTERNAL NETWORK PENETRATION TEST: Scope: Internal network from inside the perimeter → Internal subnets and segments → Active Directory infrastructure (domain controllers, LDAP, Kerberos) → Internal applications and databases → File servers, print servers, network infrastructure → VPN (from authenticated internal perspective) Methodology: → Network discovery: Internal network mapping, host enumeration → Service exploitation: SMB, RDP, SSH, internal web apps, databases → Active Directory attacks: Kerberoasting, AS-REP roasting, Golden/Silver ticket, pass-the-hash → Privilege escalation: Local → domain user → domain admin → Lateral movement: From compromised host to sensitive systems → Data access: Attempt to reach crown jewel data (PII, financial data, IP) Prerequisites: → Test account with standard user privileges → Physical or VM access to internal network → Monitoring team aware (to distinguish test from real attack) Frequency: Annual (required by PCI-DSS); recommended every 6-12 months Duration: 5-15 business days (depends on network complexity) Cost range: $20,000–$75,000 WEB APPLICATION PENETRATION TEST: Scope: Specific web applications → Application URL and subdomains → API endpoints (REST, GraphQL) → Authentication mechanisms (SSO, OAuth, MFA) → File upload functionality → Admin panels and configuration interfaces Methodology (OWASP WSTG-aligned): → Authentication testing: Session management, MFA bypass, brute force → Authorization testing: IDOR, privilege escalation, horizontal/vertical access control → Input validation: SQL injection, XSS (reflected, stored, DOM-based), command injection → Business logic flaws: Workflow bypass, payment manipulation, race conditions → Configuration: Security headers, CORS misconfiguration, verbose error messages → API testing: Broken object level authorization (BOLA), excessive data exposure, rate limiting Standards: OWASP Top 10 (2021), OWASP Web Security Testing Guide, PTES Tools: Burp Suite Professional, OWASP ZAP, Acunetix, Nessus Web Scanner Frequency: Annual per application; after every major release; before going live Cost range: $10,000–$40,000 per application CLOUD INFRASTRUCTURE PENETRATION TEST: Scope: Cloud environment (AWS, Azure, GCP) → Cloud storage (S3 buckets, Azure Blob, GCS) → Compute instances (EC2, VMs, Compute Engine) → Serverless functions (Lambda, Azure Functions, Cloud Functions) → Databases (RDS, DynamoDB, Cosmos DB, Cloud SQL) → IAM configurations (roles, policies, permissions) → Cloud-native services (KMS, Secrets Manager, CloudTrail, etc.) Methodology: → Cloud misconfiguration assessment: Public storage, over-permissive IAM, exposed metadata → Identity exploitation: Role chaining, privilege escalation, assumed role abuse → Service exploitation: Lambda escape, container breakout, serverless injection → API exploitation: Cloud provider API misuse, infrastructure as code vulnerabilities → Data exfiltration attempt: From compromised instance to attacker-controlled storage Special considerations: → Cloud provider terms of service: Verify authorized testing scope (AWS/Azure/GCP each have specific ToS) → Rate limiting: Avoid triggering provider abuse detection → Cost impact: Ensure testing does not generate unexpected cloud charges Frequency: Annual; after major cloud architecture changes Cost range: $15,000–$60,000 RED TEAM EXERCISE: Scope: Organization-wide adversarial simulation → External attack surface → Internal network → Web applications and APIs → Physical security (office entry, badge cloning, tailgating) → Social engineering (phishing, vishing, smishing) → Supply chain (third-party compromise simulation) Methodology: → Objective-based: "Achieve domain admin access" or "Exfiltrate customer database" → No constraints (within legal/safe boundaries) → Multiple attack vectors simultaneously → Real-world adversary TTPs (MITRE ATT&CK framework) → Detection assessment: How long until detected? (dwell time measurement) Duration: 2-6 weeks Team: 3-5 experienced red teamers Cost range: $50,000–$200,000+ Frequency: Annual or bi-annual for critical organizations SOCIAL ENGINEERING ASSESSMENT: Types: → Phishing campaign: Email-based targeting specific departments; click rate measurement → Vishing: Phone-based social engineering (IT support impersonation, executive impersonation) → Smishing: SMS-based phishing; credential harvesting via text → Physical: Tailgating, badge cloning, lock picking, dumpster diving → Watering hole: Compromising websites frequented by target employees Frequency: Quarterly phishing tests; annual comprehensive social engineering assessment Cost range: $5,000–$30,000 ``` ## Rules of Engagement ``` RULES OF ENGAGEMENT (ROE) TEMPLATE ===================================== GENERAL RULES: Testing Window: → Dates: [Start Date] to [End Date] → Hours: Business hours only (9 AM – 6 PM [Timezone]) unless explicitly authorized → Emergency stop: Either party can halt testing immediately via [Emergency Contact] → Communication: Daily status calls at 4 PM; ad-hoc communication for critical findings Authorized Targets: → In scope: [Specific IP ranges, domains, applications, cloud accounts] → Out of scope: [Production databases, third-party systems, specific IP ranges] → Test accounts: Provided for authenticated testing; credentials documented separately Prohibited Activities: → Denial of service (DoS/DDoS) attacks → Physical destruction or damage → Social engineering of employees outside agreed scope → Testing against third-party systems without explicit written consent → Data destruction or modification (read-only access unless explicitly authorized) → Exfiltration of real customer data (use test data only) → Use of exploits known to cause system instability (must discuss before use) Safety Measures: → Test data: Use anonymized/synthetic data; no real PII/PHI in test environments → Backup: Ensure backups of critical systems before testing begins → Monitoring: Security team monitors for test activity; distinguishes from real attacks → Rollback plan: Procedures to restore systems if testing causes disruption Deliverables: → Initial findings briefing: Within 2 business days of test completion → Draft report: Within 5 business days → Final report: Within 10 business days (after clarification/questions) → Executive summary: Non-technical summary for leadership → Technical report: Detailed findings with PoC, CVSS scores, remediation guidance → Retest: Within 90 days of remediation; no additional cost if within scope Legal and Compliance: → NDA: Signed by all team members before testing begins → Authorization letter: Written scope of authorization from company executive → Insurance: Testing firm carries $2M+ cyber liability insurance → Data handling: All test data and reports handled per confidentiality agreement → Report ownership: Company owns all reports and findings; tester retains methodology IP ``` ## Findings Management and Remediation ``` VULNERABILITY REMEDIATION SLA FRAMEWORK ========================================= SEVERITY CLASSIFICATION AND SLAS: Critical (CVSS 9.0–10.0): → Definition: Remote code execution, authentication bypass, data exfiltration → Example: Unauthenticated RCE in web application, domain admin credential theft → Remediation SLA: 7 days (patch deployed or compensating control in place) → Containment: 24 hours (temporary mitigation if patch not available) → Escalation: CISO + engineering VP notified immediately → Retest: Within 14 days of remediation High (CVSS 7.0–8.9): → Definition: Privilege escalation, SQL injection, stored XSS, sensitive data exposure → Example: IDOR allowing access to other users' data, path traversal to /etc/passwd → Remediation SLA: 30 days → Containment: 7 days (WAF rule, access restriction, or temporary workaround) → Escalation: Engineering manager + security team notified → Retest: Within 45 days of remediation Medium (CVSS 4.0–6.9): → Definition: Information disclosure, weak cryptography, misconfigurations, low-impact XSS → Example: Missing security headers, verbose error messages, outdated JS libraries → Remediation SLA: 90 days → Containment: Not required (address in normal development cycle) → Escalation: Development team backlog item → Retest: Within 120 days or next pentest cycle Low (CVSS 0.1–3.9): → Definition: Best practice violations, informational findings, theoretical risks → Example: Missing X-Frame-Options, HTTP methods enabled (TRACE), cookie attributes → Remediation SLA: 180 days (or next scheduled maintenance release) → Containment: Not required → Escalation: Development team awareness; added to security standards → Retest: Next annual pentest cycle Informational: → Definition: Recommendations, best practices, informational observations → Example: "Consider implementing MFA", "Security headers could be enhanced" → Remediation SLA: No SLA (tracked for awareness) → Action: Consider in upcoming security improvement roadmap REMEDIATION TRACKING PROCESS: 1. Findings imported to vulnerability management system (Jira, ServiceNow, DefectDojo, Bugcrowd) 2. Each finding assigned to responsible team and engineer 3. Due date set based on severity SLA 4. Weekly status review: open findings, approaching SLA breaches, completed remediations 5. Engineering submits fix → security team validates → status updated 6. Retest scheduled after all critical/high findings addressed 7. Retest results: confirmed fixed, partially fixed (requires additional work), not fixed (risk acceptance) RISK ACCEPTANCE (when remediation not feasible): → Business justification documented (cost, feasibility, impact on functionality) → Compensating controls identified and implemented → Risk acceptance signed by: CISO + business unit leader → Review period: 6 months (re-assess risk) → Audit trail: Risk acceptance tracked for compliance auditors REMEDIATION EFFECTIVENESS METRICS: → Mean Time to Remediate (MTTR): Critical: Target ≤ 7 days; current: 5.2 days ✓ High: Target ≤ 30 days; current: 22 days ✓ Medium: Target ≤ 90 days; current: 67 days ✓ → SLA Compliance Rate: Critical: 95% (within SLA) High: 88% (within SLA) Medium: 82% (within SLA) → Retest Pass Rate: 87% (findings confirmed resolved on first retest) → Vulnerability Trend: ↓ 15% from last assessment cycle ``` ## Integration Points - **Bugcrowd / HackerOne**: Bug bounty platforms for continuous external testing; community of vetted security researchers; managed programs with SLAs and reporting - **DefectDojo**: Open-source vulnerability management platform; import pentest reports (SARIF, JSON, CSV); track remediation; API integrations - **Jira Service Management**: Track pentest findings as tickets; workflow automation; SLA tracking; reporting dashboards - **ServiceNow Vulnerability Response**: Enterprise vulnerability management; integrates with scanning tools; risk scoring; remediation workflows - **Burp Suite Professional**: Web application testing toolkit; scanner + manual testing; intruder for fuzzing; repeater for manual request modification; $479/year - **OWASP ZAP**: Open-source web application scanner; API testing; active and passive scanning; CI/CD integration; free - **Nessus / Qualys**: Vulnerability scanning; continuous monitoring; compliance auditing; integrates with vulnerability management platforms - **MITRE ATT&CK Navigator**: Map pentest findings to ATT&CK techniques; track coverage; identify testing gaps ## Edge Cases - **Production-only applications (no staging environment)**: Test with extreme caution; read-only operations only; schedule during low-traffic window; DBA present during testing; consider synthetic testing environment - **Regulated environments (PCI-DSS, HIPAA, FedRAMP)**: Tester must be approved (background check, facility clearance); testing methodology reviewed in advance; all findings reported to compliance team; specific testing frequency mandated - **Third-party hosted applications (SaaS)**: Verify vendor's penetration testing policy; coordinate testing window; scope limited to your configuration and custom integrations; vendor may refuse direct testing — request their SOC 2 report and pen test summary instead - **IoT/OT environments**: Specialized testing required; non-destructive testing only; physical safety is priority; coordinate with OT team; test in isolated lab before production testing; use ICS-specific tools (ICS-CERT guidelines) - **Mobile application testing**: Separate from web app testing; requires Android/iOS testing environment; decompilation/reversing engineering; API testing from mobile perspective; certificate pinning bypass testing - **Large-scale organizations (1000+ assets)**: Prioritize crown jewels; risk-based testing approach; multiple concurrent test streams; dedicated internal coordination team; quarterly rolling assessments instead of annual big-bang - **Startup environments (limited budget)**: Open-source tools (ZAP, Nuclei, subfinder, gobuster) for initial scanning; focus on authentication and authorization testing; consider bug bounty program as cost-effective alternative to full pentest; prioritize OWASP Top 10 coverage