Before we start any engagement, we like to go over a document that lists all of the Rules of Engagement (ROE) for the upcoming penetration test. We cover things like making sure you have approval from your cloud provider, when status updates will be sent to the client, and how time sensitive and critical issues […]
A web application penetration test takes a look at the security of external or internal application for your organization. This type of testing goes above and beyond standard network-level penetration testing, focusing on the both the unauthenticated and authenticated portions of a website. But why do web application penetration testing? What threats are you addressing for […]
If there is one type of assessment that is not like the others, it is the physical penetration test. A physical penetration tests assesses the risk to your organization of an attacker physically breaking in. This blog will explore the physical penetration test, what questions it answers, what type of clients typically seek physical penetration […]
The term “Rules of Engagement” sounds intimidating the first time you hear it, but don’t be alarmed, it is meant to protect both you as the client and your penetration testers. The Rules of Engagement, or ROE, are meant to list out the specifics of your penetration testing project to ensure that both the client […]
Segmentation is not a requirement to meet PCI compliance. However, it is strongly recommended by the PCI Council as it can greatly reduce the cost, scope, and difficulty of meeting compliance. In this blog, we will explore these reasons a bit further and explain the importance of PCI segmentation. What is Segmentation? Segmentation, from a […]
Having performed numerous Reports on Compliance (ROC) for corporations and assisted a myriad of clients with their Self Assessment Questionnaire (SAQ), one thing is apparent to us: companies large and small are having difficulty determining PCI scope for their environment. This can have a profound impact on your compliance. Having the wrong scope can invalidate […]
Technically, no, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not specifically require penetration testing. But stick with me, because there are some important nuances to make note of here. While the act never specifically calls out vulnerability scans or penetration testing, there are a number of industry experts and standards organizations […]
We often get asked, “what is the typical timeline for a penetration test?” The projected schedule can often dictate the business decision around which penetration testing firm to ultimately go with. When you’re under a tight deadline, it’s helpful to get a better idea of what to expect when contracting for a penetration test. While […]
Among the security testing that PCI DSS v3.2 requires is external penetration testing. External penetration testing is becoming a regular part of security practitioner’s vocabularies, with seemingly every security standard requiring it and any mature security program identifying its importance. The requirements surrounding a PCI external penetration test have some specific nuances that are worth […]
We’ve discussed many of the different kinds of testing that the Payment Card Industry Data Security Standard (PCI DSS) requires previously. Among those requirements for many organizations is segmentation validation testing. Segmentation refers to the either physical or logical separation of portions of the network to prevent unnecessary communication channels. In the case of PCI, […]
