Contact us
Search
English

Delimiting an Ethical Hacking

How to define the scope of your objectives

Blog Delimiting an Ethical Hacking
fgomez

Felipe Gómez

| 1 min read

Contact us

The main problem encountered by an organization when they need to perform an Ethical Hacking is to establish the boundaries of the hacking.

Delimiting the scope of an Ethical Hacking by time is a common mistake since it is not possible to know when the hacking, that is measured solely by effort, has ended nor whether the results were satisfactory or if it was just a big waste of time and resources that left no valuable knowledge to the organization.

There are two objectives to evaluate in an Ethical Hacking, infrastructure and application. These two can be evaluated in an already deployed environment or in a development one, analyzing the source code.

Get started with Fluid Attacks' Ethical Hacking solution right now

If what the organization wants is to identify vulnerabilities in their applications (web/mobile) and web services based on the needs and context of the business, in order to generate the biggest business impact possible, an Ethical Hacking of Applications should be done.

If what the organization wants is to detect security flaws directly in the development, identifying bad programming practices and intentional errors in the source code that can affect the proper functioning of the system, a Source Code Analysis should be done.

Finally, if what is needed are attacks on the underlying infrastructure of the systems (Network services/OS), looking to exploit specific vulnerabilities of the implemented technology, an Ethical Hacking of the Infrastructure should be done.

Once the type of attack to be performed is decided, the Target of Evaluation or ToE has to be determined based on three items.

  • Number of Ports, If what is going to be evaluated is Infrastructure.

  • Number of Input Fields, If the target of the attack is the application.

  • Lines of Code, If the risks associated to the development wished to be determined.

Once these scopes are set and clear, one can be assured that everything related to that technology will be attacked, as opposed to delimitations that are set based on execution time with automated tools that only exploit a small percentage of the reported vulnerabilities.

At Fluid Attacks, our value proposition goes hand in hand with meeting the promised scope, never based on time. Our Ethical Hacking is to be finished when we have evaluated the complete target of evaluation.

Share

Tags:

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Roy Muz on Unsplash

Prove You're Definitely Safe!

Lessons learned from black swans

Photo by A S on Unsplash

They'll Wait for the Reality Check

How can we justify the investment in cybersecurity?

Photo by Mike Lewinski on Unsplash

The More Access, the Better

It's about time you relied on code-assisted pentesting

Photo by James Orr on Unsplash

Top 10 Hacking Certifications

Our pick of the hardest challenges for ethical hackers

Photo by Takahiro Sakamoto on Unsplash

Tips on Developing Software With AI

Five best practices for coding with the help of gen AI

Photo by Peter Neumann on Unsplash

Penetration Testing: A Guide

Importance, types, steps, tools of pentesting, and more

Photo by Fotis Fotopoulos on Unsplash

LFR via SSRF in BookStack

Beware of insecure-by-default libraries!

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Service

Continuous Hacking

Platform overview

Solutions

Application security

Compliance

Systems

Testing Techniques

ASPM

SAST

DAST

MPT

MAST

SCA

CSPM

ARM

PTaaS

RE

SCR

Plans

Essential

Advanced

Resources

Blog

Learn

Advisories

Clients

Downloadables

Documentation

Company

About us

Certifications

Partners

Careers

Contact us

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.

Service status

Terms of use

Privacy policy

Cookie policy