As a penetration tester, you are preparing to engage in a security assessment of a client's web application. The client has emphasized the importance of adhering to a strict schedule and minimizing downtime. You have reviewed the statement of work and confirmed the target endpoints that require testing. To ensure professional integrity, what would be the MOST appropriate course of action when you discover a potentially destructive test that could cause significant downtime?
Proceed with the potentially destructive test only after creating a complete backup of the application.
Perform the test but limit its scope to a non-production environment that is not covered in the statement of work.
Refrain from performing the test and document the decision, notifying the client of the potential risk associated with the test.
Run the test during off-peak hours to reduce the potential impact on the application's normal operation.
When preparing for penetration testing, it is crucial to maintain the integrity of clients’ systems and abide by the rules of engagement. Avoiding potentially destructive tests is aligned with limiting invasiveness and maintaining application availability, especially when the client has emphasized the importance of minimizing downtime.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the main components of a statement of work in penetration testing?
Open an interactive chat with Bash
Why is it important to document decisions made during a penetration test?
Open an interactive chat with Bash
What are the potential consequences of conducting a destructive test on a production environment?