Process Overview
1. TOR - The Terms of Reference states what we will be doing, who exactly will be doing it, when, any exclusions, restrictions, etc.
2. Port Scan - We will scan the application IP address for possible TCP and UDP Ports. The scanning will be performed from our specialist secure data center.
3. Vulnerability Scanning - CNS will scan the application and active ports identified in the previous step with a number of automated tools, such as Nessus.
4. Unauthenticated Testing - CNS will perform unauthenticated testing of the web application, trying to find hidden directories or files.
5. Authenticated Testing - CNS will map out the functionality of the application, and attempt to gain access or modify data on other accounts.
6. Unauthenticated Re-testing - With the knowledge of the authenticated functionality, CNS will attempt to use the same functionality from an unauthenticated user again.
7. Documentation - CNS will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
8. Quality Assurance - The report will be passed through our internal QA process multiple times, where a second senior tester will review the report and identify issues. The report will then be passed to the testing manager for a final review.
9. Report Release - The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
10. Optional Retest - As an optional extra, CNS can conduct further testing to verify any fixes applied.
11. Post Testing Debriefing - CNS will then conduct a debriefing for the client.