Target considerations
Some considerations to keep in mind when performing the pentest on the identified targets.
Allow list (whitelisted) versus deny list (blacklisted): We can ask to have our system added to the allow list by security controls.
Security exceptions: We can ask our IP address or account to be added to security exceptions within security controls so that we are not blocked.
IPS/WAF whitelist: Our IP address can be added to the whitelist on the intrusion prevention system (IPS) and the web application firewall (WAF) so that it is not blocked, and we can test the web application.
NAC: The customer may have network access control (NAC) features implemented that only allow devices in a secure state to connect to the network. This could affect our capabilities to connect to the network and perform the pentest. We may have to be placed on an exception list so that we can access the network from our pentest system.
Certificate pinning: Certificate pinning refers to the process of associating a host with the expected server it will receive certificates from. If the certificate comes from a different system, the communication session will not occur. We may need to disable certificate pinning on the network to allow communication.
Review the company security policy to determine if there are any policies in place that would put limits on the actions we can take.
Be aware of any technical constraints that may limit our capabilities to perform the penetration test. There may be firewalls blocking our scans during discovery of targets or there may be network segments controlling communication.
When performing the pentest, it is important to be aware of any differences in the environment, as any differences could change how the pentest tools respond. Be aware of export restrictions when it comes to crossing borders with any encrypted content and any other local and national government restrictions that may be in place with regard to encryption and penetration testing tools. When performing a pentest on large global companies, know that the laws are different in these different companies with regard to using tools. Also, review any corporate policies so that we are aware of the pentesting rules.