Test Credentials
Your pentesters need dedicated accounts to test your systems.
Your organization is responsible for deleting/disabling or rotating any credentials issued during this test once the testing process is complete.
In our journey through Pentest Requirements, we now discuss Test Credentials. When you see Provide Credentials title, select from the following options:
Enter credentials on this brief
Send credentials to pentesters through encrypted email
- You can find email addresses within the brief once your pentest is in the Planned state.
Allow pentesters to create their own credentials / None required
Explain the process in the special Instructions, based on the following use cases:
- If our pentesters can create their own accounts on your system
- If our pentesters can test your system without credentials
If you’ve set up dedicated accounts:
- Remember to create one (1) account per pentester.
- Make sure each test account works.
- Share documentation on how your pentesters can set their own passwords.
- If necessary, share username/password (or other credential) information using the secure channel of your choice.
- Describe the user role along with associated permissions and/or privileges.
- Include other authentication requirements such as multi-factor authentication (MFA).
- Once the pentest (and any retests) are complete, disable or delete the dedicated accounts.
Depending on the methodology, we may also perform black-box and gray-box tests.
Now proceed to the next step, special Instructions.
Last modified November 14, 2024