Create a penetration test assessment request from existing requests (v19.0)
Starting with v19.0, you create penetration test assessment requests directly from the list of existing requests. You can also copy existing requests in the Closed state on this list to create requests.
始める前に
Role required: Application Owner
このタスクについて
Starting with v19.0 of Vulnerability Response, if you are using the Veracode Vulnerability Integration, the penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. They are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test assessments from Veracode, see the Veracode Vulnerability Integration.
手順
- Navigate to All > Penetration Test Assessment Requests > All.
- オプション:
Alternatively, you can create a request by replicating closed requests.
All the values from the original request are preserved in the new form. Active application vulnerable items (AVIs) are automatically copied to the new request. Select Copy And Create Request from records in the Closed state.
-
Select New and fill out the fields.
表 : 1. Penetration Testing Assessment Request form Field Description Number Unique identifier generated for the penetration test assessment request. State Select a value based on the status of the request. Requested by Person requesting the assessment of the application. Assignment group Group selected to work on the penetration test findings. Can be manually added or edited by an App-Sec Manager. To configure groups, see Configure penetration testing.
Application Select an application using the search option. Assigned to Individual from the selected assignment group that works on the penetration test findings. Can be manually added or edited by an App-Sec Manager. Application type Select an option from: - Web service (known as API prior to v16.1)
- Web Application
- Thick Client
- Mobile (If you select Mobile, the Mobile tab is displayed at the bottom of the form with additional fields)
Sprint Displays the sprints with bandwidth available to accommodate the assessment request based on the selected Assessment type field. See Configure sprints for penetration testing and Configure assessment types for penetration testing for more information about modifying sprint capacity and testing scope.
v19.0: Application size Select the size of the application you want to test. - Small
- Medium
- Large
- Standard (select this option if you are not sure of the size)
See more Configure penetration testing more information about modifying sprint capacity and testing scope with application size and sprint capacity.
Created Date and time the request was created. Assessment type Select the type of assessment from: - Full penetration Test
- Focused Test
- Re-test
Updated Date and time the request was last updated. Demo date Date when this application can be demonstrated. Product deployment planned on Planned date to deploy this application in production. Application version/release planned for deployment Version of the application planned for production deployment. v19.0: Application owned by third-party vendor or a joint venture tab If you select Yes for this field, the Vendor/ Joint Venture Information tab is displayed. Fill in the additional fields.
Clause exists that enables us to perform pen testing? The term 'Clause' might refer to standards for testing that include any agreements that exist between two or more parties you want to add. If you select Yes, add the clause. The clause citing the permission to perform pen testing Full legal name and address of the vendor Intrusion detection system Technical contact from vendor Has the logged information been reviewed form malicious activity? Application hosted by another third-party vendor? Contact from vendor who will be signing off on the pen test Application Details tab Purpose of application Description of the application’s functionality. Technology stack details Complete technology stack from front end to back-end, databases, and other key technologies. Is third-party application? Confirms if this application is owned by a third-party vendor. List types of sensitive data accessible from application Types of sensitive data accessible from the application. For example, PII data, PHI data, and financial data such as credit card numbers. Authentication type Specifies if this application uses LDAP authentication, its own native authentication, or other forms of authentication. Is application in scope for any compliance program? Specifies if this application impacts any compliance programs such as PCI. Application team contacts Members of the application team to be contacted by the ethical hacking team for any questions. List of compliance programs Related third-party interfaces or applications IP address Approximate number of users in production? Automated script exists? Production version of this app is external-facing? v 19.0: Business Impact Financial damage Select one from the list. Non-compliance Select one from the list. Reputation damage Select one from the list. Privacy violation Select one from the list. Testing details tab URLs to test URLs that must be included in penetration testing. URLs to exclude URLs that must be excluded from penetration testing. Was this application tested previously? Specifies if this application has already been penetration tested. Reason for retest Reason for asking for a penetration test reassessment if the application was tested earlier. When was the application tested? Time frame when the application was penetration tested. Test account details Details of the test account that can be used by ethical hacking team for penetration testing. Application roles Roles supported by the application for its users. Most used roles Most commonly used roles in the application. Additional Comments tab Work notes - Select Save to save your edits or Submit to initiate the request.