Evaluation Scope
Evaluation target or scope refers to the product, system, or service being analyzed for potential security vulnerabilities.
- could be:
- a software application
- a network
- a security service
- an entire IT infrastructure
- target is the focus of a specific evaluation process
- primary goal of the evaluation is to:
- mitigate risk
- improve the application’s security posture
- ensure compliance with relevant security standards or regulations
- For a penetration tester,
- the scope is the specific system, application, network, or environment they are authorized to evaluate for exploitability
- for an attacker,
- the scope describes their intended target
| Scope Practice | Description |
|---|---|
| Security Testing | Conducting vulnerability assessments and penetration testing to identify potential weaknesses, vulnerabilities, or misconfigurations. |
| Documentation Review | Reviewing documentation, such as design specifications, architecture diagrams, security policies, and procedures, to ensure the system is implemented according to secure design principles and compliance requirements. |
| Source Code Analysis | Analyzing source code to identify potential security vulnerabilities or coding errors to uncover issues related to input validation, secure coding practices, and coding standards. |
| Configuration Assessment | Evaluating configuration settings to ensure they align with security best practices and industry standards, such as assessing access controls, encryption settings, authentication mechanisms, and other security-related configurations. |
| Cryptographic Analysis | Assessing cryptographic mechanisms, including encryption algorithms, key management, and secure key storage, to ensure the proper implementation and use of cryptographic schemes according to industry standards and guidelines. |
| Compliance Verification | Verifying compliance with standards specified by relevant regulations, frameworks, or security certifications. |
| Security Architecture Review | Evaluating security architecture and design to identify potential weaknesses or gaps in security controls, such as insufficient segregation of duties, lack of audit trails, or inadequate access controls. |