Posted on 2020-04-07 by Volkis in Volkis News
A couple of weeks ago we put up the Volkis Handbook. It is aimed at our customers, friends, employees, infosec colleagues and really anyone interested in the inner workings of Volkis.
More than this, it aims to form the core of Volkis and a key part of our philosophy as an organisation. We would like to be transparent, open, and honest. By showing what we do and the way we work, we hope that everyone will get to know us better and perhaps just learn a thing or two that they could do better as well.
“But won’t competitors just copy you?” We hear you asking. We certainly hope so! If they do, it means we’re doing something right and their customers are better off for it. It also means we need to push the envelope even more.
In the end, nothing in cyber security has been developed in isolation. We have learned so much from the community, including people who have worked with us and for competitors, freely sharing information that helps organisations protect themselves and helps the industry as a whole. This is part of our way of contributing back to the community.
We’ve been continuously working to put up more information in our handbook. Documents that we have already put up include the Penetration Testing Engagement Guide, Penetration Testing Methodologies, and the Penetration Testing Welcome Pack.
Penetration Testing Engagement Guide
The penetration testing engagement guide goes over the engagement side of penetration testing. It’s about the stuff of a penetration test that is not actual testing.
When someone thinks of a good penetration tester, they may think of someone who has deep technical knowledge and experience and who can uncover the hidden vulnerabilities. It’s extremely important to be a good tester, but that’s only half of the puzzle. The other half is to be a good consultant.
If the client doesn’t know what’s wrong, or how to fix it, then nothing gets fixed. It doesn’t matter how good the test was or how many awesome vulnerabilities were found. If the client doesn’t know and understand what happened, then the outcome is that the test was ultimately worthless.
Being a good consultant means getting the communication, reporting, prioritisation, and recommendations right. They are able to communicate things effectively and structure everything in a way so that the results are actioned.
Penetration testers reading this guide might learn a bit more about what it means to be a consultant and organisations reading this guide might learn a bit about what they should expect from their tester.
Penetration Testing Methodologies
Usually organisations simply attach their methodologies to their proposals and reports and see them in a “need to know” basis. We’re looking to be a bit different and making them public for everyone to see and judge.
The methodologies are not procedures, or step by step guides of exactly what we will do in a test. That’s an impossible feat given the sheer number of different systems and environments we might be testing. Instead, it’s an overview of the high level stages that we take in our testing, the things we look for, and the outcome we deliver.
We have put up the methodologies for external penetration testing, internal penetration testing, and web application penetration testing. There’ll be more to come.
Penetration Testing Welcome Pack
The penetration testing welcome pack is what we send new clients when they have a penetration test coming up. The content of course is tailored to the test and we have removed sensitive information. Still, it explains the requirements, timeframes, communication plan, and details of how testing will be performed.
For organisations the welcome pack gives a preview of what a Volkis test will look like and the project management side of testing. You might see that the welcome pack and the engagement guide are mirror images of eachother – the welcome pack explains what the engagement guide should feel like as a customer.
The welcome pack also has our vulnerability disclosure guidelines. At Volkis we end up testing third party systems all the time and occasionally find vulnerabilities in those systems. To help protect other organisations, we have a disclosure policy that allows us to work with the vendor to get those vulnerabilities fixed.
Where to from here?
We will be looking to get more and more documents ready, raising the quality, removing confidential information, and removing at least some of the slang. We’ve already put up the company overview, style guide, biographical data sheets, and service catalogue. We’re looking to publish the rest of our methodologies, checklists, information about tools we’re developing, more information about the Volkis company and culture, and guides for job seekers.
You can even join in and help build the handbook. The entire thing is available in a git repository at https://gitlab.com/volkis/handbook.volkis.com.au.
We’re excited about everything we’re sharing in the handbook. Whether you’re interested in the inner workings of a security company, or interested in Volkis, you will be able to take something out of it. You can see it all at handbook.volkis.com.au.
Photo by Jan Kahánek on Unsplash.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn