Making the wrong choices in your security testing can wreak havoc on your work and possibly even your career. In this chapter, I discuss ten potential pitfalls to be keenly aware of when performing your security assessment work.

Not Getting Approval

Getting documented approval in advance, such as an email, an internal memo, or a formal contract for your security testing efforts — whether it’s from management or your client — is a must. Outside of laws on the books that might affect your testing, it’s your “Get Out of Jail Free” card.

Allow no exceptions — especially when you’re doing work for clients. Make sure to get a signed copy of this document for your files to ensure that you’re protected.

Assuming That You Can Find All Vulnerabilities

So many security vulnerabilities exist — known and unknown — that you won’t find them all during your testing. Don’t make any guarantees that you’ll find all the security vulnerabilities in a system. You’ll be starting something that you can’t finish.

Stick to the following tenets:

• Be realistic.
• Use good tools.
• Get to know your systems and practice honing your techniques.
• Improve over time.

I cover these rules in various ways in chapters 5 through 16.

Assuming That You Can Eliminate All Vulnerabilities

When it comes to networks, computers, and applications, ironclad security isn’t attainable. You can’t ...