Provensec PCI penetration testing process strictly follows the guidance provided by PCI SSC. The objective of the test is to see how an attacker could jeopardise the confidentiality and integrity of
Before we start the test we agree on the scope and rules of engagement which includes the success criteria.
Once the scope and success criteria are agreed, we start our test using OWASP methodology this will touch upon the application, network and server layers of your IT infrastructure depends on the agreed scope.
Once the test is completed, a report will be delivered to our client which will explain the test results and SMART actions to fix identified findings.
Our PCI penetration testing execution will include the following aspects of your IT infrastructure:
Application Layer: As mentioned in Section 2.3 of PCI SSC guidance, we will perform testing from the perspective of the defined roles of the application. We strongly encourage our clients to supply credentials to allow the tester to assume the required roles. This will allow the tester to determine if, at any given role, the user could escalate privileges or otherwise gain access to data they are not explicitly allowed to access. In instances where a web application utilizes a backend API and the API is in scope, we Test web and API independently.
Network Layer: Since the network layer is using standard mode of interaction we use automated tools to conduct the test and the results are verified manually. The test will verify whether the CDE environment has efficient and effective network controls.
Segmentation test: The segmentation check is performed by conducting tests used in the initial stages of a network penetration test (i.e., host discovery, port scanning, etc.). We verify that isolated LANs in the agreed scope do not have access into the CDE.