Created
February 11, 2019 01:42
-
-
Save cmlh/d59d6ba6e74c9804273611d3d01b753a to your computer and use it in GitHub Desktop.
PCI SSC Penetration Testing Guidance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Penetration Tester Name/Organization | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Contact information|Y|1 | |
| Credentials/qualifications of analysts|N|1 | |
| Is there sufficient evidence that the individuals are organizationally independent from the management of the environment being tested?|Y|1 | |
| Dates the engagement was performed|N|1 | |
| Date the report was issued|Y|1 | |
| Executive Summary | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Summarizes testing performed|Y|1 | |
| Summarizes results of testing|N|1 | |
| Summarizes steps for remediation|Y|1 | |
| Scope | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Is the scope clearly documented?|Y|1 | |
| How the scope was determined|N|1 | |
| Is the attack perspective of the engagement clearly defined (internal, external, or both)?|Y|1 | |
| Is the type of testing clearly defined (application layer, network layer, or both)?|N|1 | |
| Were there any constraints put on the testing (time, bandwidth limitations, etc.)?|Y|1 | |
| Methodology | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Is the methodology clearly stated?|Y|1 | |
| Does the methodology reflect industry best practices (OWASP, NIST, etc.)?|N|1 | |
| Narrative | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Is there a clear discussion of the automated and manual testing that was performed?|Y|1 | |
| Is there clear documentation of any problems that were encountered during the testing (interference from active protection systems, target environment controls blocking or dropping packets, etc.)?|Y|1 | |
| Discovery | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Is there a section that documents all identified open network ports/services for the target scope and the originating perspective (external or internal exposure)?|Y|1 | |
| Results | |
| Report Question|Yes/No|Page | |
| ------------------|--------|---- | |
| Is there a clear indication whether retesting is needed, and if so, what specific areas require retesting?|Y|1 | |
| Is there a summary listing of items that need remediation and retesting?|Y|1 | |
| Is there a detailed listing of items that need remediation and retesting?|Y|1 | |
| Did tester demonstrate attempts to exploit the identified vulnerability and clearly state the potential result/risk that each potential exploit may pose to the environment? (See Section 5.1.1 for risk-ranking discussion.)|Y|1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment