You may have unique requirements and concerns about assets in production use.
You’ve already shared details about your asset, ideally including its architecture. Beyond the standards, you should share any or all special concerns about the asset. The following checklist includes examples to help you decide what to share with your pentesters. While you’re not required to include any such details, we encourage you to include concerns that affect your production systems.
- Highlight areas for special attention, such as:
- Recent releases
- Specific functionality
- Vulnerabilities that you’re concerned about
- Be specific. Include CVE numbers (or equivalent) if available.
- Requirements to access the target environment:
- For example, if you’re looking for a test on the internal network, include instructions on how to access the Jump Box on that network.
- Production concerns. If you’re setting up a test on production systems, share details that could affect your network.
- Out-of-scope subjects. Highlight any features or workflows that are out of scope for this test.
- We discourage “out of scope” lists.
NoteDenial of Service (DoS) tests, by default, are out of scope. If allowed by the desired standard or regulation, you can explicitly request DoS tests.
Proceed to the next step, the Technology Stack.