A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. The consultant notices that one element specifies that the tests should be performed toward only web applications on websites www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification?
- location of testing
- types of allowed or disallowed tests
- IP addresses or networks from which testing will originate
- the security controls that could potentially detect or prevent testing
Explanation & Hint: The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. The types of allowed or disallowed tests element in the rules of engagement document should specify specific penetration tests that are allowed or disallowed. |