If had the luxury of talking to my past self, these are things I whished I would have done differently during the years that I performed pentesting. Some of these I eventually learned before I finished pentesting, others well, let’s just say they are much more recent. If I think of more items I’ll attempt to update the blog.
If you are a pentester and you are reading this, I hope you can benefit from them. Just make sure you evaluate if they are applicable to your situation and adjust them as required. If you are in a rush, here is the list, details can be found in the rest of this article:
- Don’t be afraid of talking to clients
- Always ask for equivalent access
- Avoid blackbox tests
- Write the report while you pentest
- Images, images & images
- Provide detection advice & POCs
- Provide reproducible POCs for your attacks (security regression tests)
- Provide scripts to fix the issue (when possible)
- Publish more
- Grasp the bigger picture
- Include what you didn’t do
- Don’t be afraid to say something was good
I’ve also included some crazy fantasies of mine, which I’ll always be wondering if they would’ve made a difference.
- Re-use reports and label them as such
- Provide the report upfront
DiabloHorn 