Pentest/VAPT Rules of Engagements (RoE) and Best Practices
01. Use one excel spreadsheet workpaper for everyone that should include project details, type of project (grey/black box), and credentials. Nmap, Dirsearch, Nuclei, and Burp Crawler raw outputs in each sheet. Issues in a new sheet. Any useful info during the test is in another tab. Save it using password protected feature.
02. Log public IPs on each day before starting the test and at the end of the test. This helps in case a client asks you for an investigation. This should also go into the workpaper.
03. Whitelist your IP or custom user-agent header to bypass the firewall and test the actual site behind the WAF to discover all the issues. The
testing of the real site is necessary in case anything happens with WAF tomorrow or a zero-day comes in it, and clients would be protected
if their actual site was tested in the past for all flaws.
04. Use the scanner to cover every possible request and parameter to be tested.
05. Get consent from the client before running any automated scans. If a client resists, make them understand the benefits of using the controlled automated scanner in order not to miss out on any vulnerabilities.
06. Ensure scanner profiles are mentioned in SOP and shared with the team through a centralized location. Light scan and normal scan profiles are to be created at a minimum for various tools such as BurpSuite, Nessus, Qualys, or other relevant ones.
07. Create a report review checklist based on the format of the report and share it with the team using a centralized location. Each individual is responsible for reviewing their own report before submitting it to the senior for review.
08. Generate a mindmap for business logic flaws and ensure you put it in the same client folder where PoCs and workpaper are. Create all the test cases for the business logic flaws based on the request parameters.
09. Use a custom user-agent header (still in the format of firefox or chrome but add some unique random string of 12/15 characters between
titles. This is helpful for the investigation when a client comes to us and says we are getting a lot of traffic. Are you guys scanning?
10. Ask testers to save BurpSuite states every single day distinctly. This helps investigate in future we did. Did we miss something, or have we
covered XYZ? Not to use the previous day’s burp state by importing it.
11. The report must be shared with the client in a password-protected PDF zip file only, and the password must be shared via another medium (E.g., SMS, avoid using 3rd party cloud apps (WhatsApp/Teams/Emails.)
12. Suppose a project is of 1 week; provide an interim one pager Summary report on the 3rd or 4th day consisting of at least the progress of the project, things are done/pending, issues identified, etc.
13. During your VAPT project, if you find any critical issue, report it asap using an advisory template and ask the client to get on a call to fix it ASAP without waiting to complete the entire project.
14. Test during the defined hours only and by using the company’s corporate/lab network only.
15. Have a dedicated internet access minimum LAN to perform VAPT on apps or networks. Ensure your router is not filtering packets based on the number of packets and request types. It should allow anything and everything transmitting through it without being smart.
16. Ensure that only a few people test and flood packets through the same network. Not all testers are performing clients’ projects at the
same time in the same network. If so, balance your load by using dedicated networks.
17. Create a separate virtual machine or host system to run the VAPT, so it does not affect the existing system. Ensure you take a snapshot every month or at least after a significant change (installation of a new tool, deletion of something, changing the major configuration, etc.)
18. Invest in commercial tools and do not use cracked versions. This includes security tools like BurpSuite/Nessus/Qualys, MS Office, and other productivity tools.
19. Ensure that with all these RoEs (Rules of Engagements), the team has synergy in their work and the output they generate.
20. Perform regular reviews and assessments of your VAPT processes and procedures to identify any areas for improvement. This can help ensure that your testing is effective, efficient, and compliant with relevant standards and regulations.
21. Use a password manager for all the accounts you manage for your company/team and password-protected client reports.
22. Use a version control system to manage and track changes to your workpapers, tools, and other assets used during VAPT testing. This can help ensure that you have a complete and accurate record of your testing activities and can easily revert to previous versions if needed.
23. Understand the feature you are testing in the web app and think of a backend infrastructure/service/support; based on that, use a scanner/intruder or any automated requests carefully. You may generate a lot of traffic that may result in numerous tickets in the support center. E.g., Contact us page, Chat box, Complaint page, and Other relevant pages.
24. Maintain a library of commonly used tools, scripts, and resources that can be used during VAPT testing. This can help streamline the testing process and reduce the time and effort required to conduct testing.
25. Before closing the engagement, obtain written confirmation from the client that all vulnerabilities or security issues have been addressed.
26. Have an updated VAPT checklist at least of the web, network, iOS, and Android. Share using a common drive and force everyone to use it.
Ensure one person is dedicated to updating that by following weekly/monthly resources of new vulnerabilities, write-ups, etc. The manager must review the checklist.
We will explore more in our next upcoming blogs…
Thank you for reading!