[ENG-1742] Add pentesting docs

pages/_meta.ts

@@ -1,5 +1,6 @@
 export default {
   "index": "Introduction",
+  "penetration-testing": "Penetration Testing",
   "integrations": "Integrations",
   "oneleet-agent": "Oneleet Agent",
   "guides": "Guides",

pages/penetration-testing/_meta.ts

@@ -0,0 +1,9 @@
+export default {
+  ptaas: "Penetration Testing as a Service (PtaaS) at Oneleet",
+  types: "Penetration Testing Types",
+  "reports-documents": "Penetration Test Reports / Documents",
+  "process-overview": "High-level overview of the Process",
+  "test-report": "The Penetration Test Report",
+  "analyze-remediate-retesting-accept": "Analyze, Remediate, Retesting and Accept the Risk",
+  "faq": "Frequently Asked Questions",
+};

pages/penetration-testing/analyze-remediate-retesting-accept.mdx

@@ -0,0 +1,91 @@
+# Analyze, Remediate, Retesting and Accept the Risk
+
+After receiving the penetration test report, there are several steps you can take, such as remediation, accepting the risk, or rejecting the findings.
+
+Here’s a brief overview of actions you can take once the penetration test report is ready.
+
+## Analyze
+
+When deciding to address a vulnerability, the first and most crucial step is to allocate sufficient time to analyze and interpret the report. Your employees responsible for the penetration test should consider the following questions:
+
+- Does this vulnerability meet the risk threshold we have agreed upon internally?
+- What is the actual (business) impact of a possible vulnerability exploitation, considering factors that may not be known to the penetration tester?
+- Who will be responsible for remediating each finding?
+
+## Remediate
+
+Before taking any further actions, it’s crucial to verify that the vulnerability is reproducible. This not only enhances your understanding of the issue but also helps identify the systems at risk and different intrusion techniques.
+
+To initiate the remediation phase, it’s essential to comprehend the scope of what needs to be fixed. While technical fixes may be necessary, there could also be underlying causes, such as:
+
+- Management practices that require improvements;
+- Alternative approaches;
+- Ineffective or overly permissive security policies;
+- Communication issues within or between departments.
+
+Nevertheless, in most cases, a technical fix must be implemented. We advise remediating the findings as soon as possible, as the chances of the penetration tester still being intimately familiar with the vulnerability are higher, and the probability of an exploitation is lower.
+
+## Retest
+
+At Oneleet, we are committed to safeguarding your company. We provide free retesting for a year after the penetration test is delivered, giving you ample time to address vulnerabilities and improve your company’s security posture. However, it’s crucial to adhere to your internal policy regarding vulnerability remediation, particularly in light of compliance requirements such as SOC 2, PCI, or ISO 27001.
+
+## Accepting the risk
+
+Marking vulnerabilities as `Accepted Risk` on our platform is entirely at your discretion. We recognize that each client may have a higher or lower internal risk threshold for remediation, and we respect your decision if the analyzed impact is deemed too low to warrant action.
+
+However, we advise against accepting vulnerabilities with a `Medium` or higher risk. As these vulnerabilities pose a growing business risk, they are not a matter of if but when they will impact your organization. Therefore, ensure that you allocate sufficient time and effort to remediate these risks effectively.
+
+Our recommendation is to always provide a clear reason for accepting a risk. This rationale will be included in the penetration test report, allowing you to offer additional context to internal and external stakeholders regarding the acceptability of the risk.
+
+---
+
+# PCI DSS Penetration Test
+
+If you hired Oneleet for a PCI-DSS penetration test, there will be a few minor differences compared to our regular penetration testing process. The primary objectives of the PCI-DSS penetration test are to:
+
+- Validate that the cardholder data environment (CDE) is isolated, secure, and compliant with PCI DSS standards.
+- Ensure that the CHD is protected from unauthorized access.
+- Identify and remediate vulnerabilities that could compromise the CHD.
+
+As a result, the following processes will be slightly different:
+
+- The scope of the penetration test.
+- The documentation before the PCI DSS Application penetration test.
+- The frequency of penetration testing.
+
+## Scoping of a PCI DSS Application Penetration Test:
+
+During the scoping call, in addition to the already mentioned points, the following aspects will also be considered for a PCI DDS application penetration test:
+
+- **Application Security Testing**
+  - Test all applications within the CDE that handle CHD to identify security vulnerabilities, including those that adhere to OWASP standards. This involves evaluating for common threats such as SQL injection, Cross-Site Scripting (XSS), authentication vulnerabilities, and authorization flaws.
+- **External Application Testing**
+  - Simulate attacks on externally accessible applications that provide access to or protect CHD. External testing verifies the security of internet-facing applications by identifying misconfigurations, exposed ports, and external access vulnerabilities.
+- **Internal Application Testing**
+  - Perform assessments on applications accessible from within the internal network. This involves testing for unauthorized access, privilege escalation, and potential risks of lateral movement if a user gains unauthorized access to the CDE.
+- **Segmentation Testing**
+  - Confirm that network segmentation effectively isolates CHD-related applications from the rest of the environment, minimizing the PCI scope.
+
+## Documentation provided before the PCI DSS Application Penetration Test:
+
+Consider providing the following documentation after or before the scoping call:
+
+- A network diagram illustrating all network segments within the scope of the test;
+- A cardholder data flow diagram;
+- A list of all anticipated services and ports exposed at the CDE perimeter;
+- Details on how authorized users access the CDE;
+- A list of all network segments that have been isolated from the CDE to minimize the scope.
+
+## Frequency of PCI DSS penetration tests
+
+According to **PCI DSS Requirements 11.3.1 and 11.3.2**, penetration testing is mandatory at least annually and after any substantial alterations to the network environment. These alterations may encompass infrastructure upgrades, application modifications, or the installation of novel system components.
+
+The definition of a **“significant change”** fluctuates based on an **organization’s risk assessment** process and the specific configuration of its environment. Since PCI DSS doesn’t provide a rigid definition of a significant change, it’s up to each entity to assess whether a change could potentially compromise network security or expose cardholder data. If a modification could potentially affect security or access to cardholder data, it’s generally regarded as significant and should prompt a penetration test.
+
+### Example of a Significant Change:
+
+**Migration to a New Firewall System**: Upgrading or replacing the firewall safeguarding the CDE is a substantial change because it directly affects network security. This transition could introduce novel configurations, alter network paths, and influence data flow, potentially compromising cardholder data. Given the critical role firewalls play in security, a penetration test is essential to validate that security controls are functioning as intended.
+
+### Example of a Non Significant Change:
+
+**Patch for a Non-CDE System**: Applying a minor software patch to a system outside the CDE that doesn’t interact with or impact cardholder data would be considered a non-significant change. This maintenance doesn’t alter security controls in the CDE or affect access to sensitive data, so a penetration test under PCI DSS is not necessary.

pages/penetration-testing/faq.mdx

@@ -0,0 +1,37 @@
+# FAQ
+
+### Does a Penetration Test at Oneleet include DDoS?
+
+No. At Oneleet, we recognize that such attacks increase the probability of operational disruptions or the risk of collateral damage. We firmly believe that there is no genuine advantage to conducting such tests when doing a penetration test.
+
+### Is the source code assessed? Between a Black, Gray or White-box Penetration Test, what should I choose?
+
+Opt for a **White-box Pentration Test** if you are prepared to provide the source code and configuration files to the penetration tester, or if the application is open-source, as it effectively simulates threats that have or had access to the source code. Select a **Gray-box Penetration Test** for a best-of-both-worlds approach, as it allows the penetration tester to uncover most vulnerabilities accessible to bot an out- and insider. Choose a **Black-box Penetration Test** if you are main concern is about external threat actors.
+
+### Do I need to set up a staging environment, and where do you test?
+
+We usually conduct tests in the staging environment and advise against testing in the production environment to minimize the risk of operational disruptions or collateral damage. Having said that, testing in staging is discouraged if it doesn’t accurately reflect the production environment or lacks representative data, as this will provide less value from a security perspective.
+
+### Can we implement significant system changes during the penetration test?
+
+We advise against implementing significant system changes during the penetration test. While pushing small changes is acceptable, we recommend maintaining a stable environment throughout the engagement to ensure the accuracy and reliability of the testing process.
+
+### What to expect on the penetration testing scoping call? Should I prepare something?
+
+See [this](/penetration-testing/process-overview) section.
+
+### What type of qualifications should I look for in a penetration tester to evaluate their skill level?
+
+Technical background, certifications, communication skills. Evaluate a penetration tester’s technical background and certifications, starting with the industry-standard, the OSCP, and continuing with any other Offensive Security certification that you believe it’s relevant the penetration test, such as OSCE or OSWE. Effective communication is equally important — ensuring clear guidance from the initial scoping call, throughout the assessment, and through support with Letters of Attestation and Engagement.
+
+### What are the lead times for a penetration test?
+
+The average time from contract signing to the start of the penetration test is a few days if you are rush, extending up to 1 week during busier periods.
+
+### What happens if no vulnerabilities were discovered during the engagement?
+
+Although such engagements are highly unlikely, the outcome depends on the engagement scope and business size. For a startup with over 10 employees and a Gray-box penetration test, vulnerabilities are typically found, especially if it’s the first test. If the scope is limited or the application security is strong, there can be no vulnerabilities, but the tester should explain their methods, failures, and challenges.
+
+### Do I share the penetration test report with customers?
+
+You may share the penetration test report if you choose, but we provide a document designed specifically for this purpose. At Oneleet, we offer a Letter of Attestation, which provides a high-level overview of the penetration test, including the tester’s profile and the overall risk score or number of findings. We recommend the Letter of Attestation to be shared with stakeholders.

pages/penetration-testing/process-overview.mdx

@@ -0,0 +1,38 @@
+# High-level overview of the Process
+
+![](/penetration-testing/process.png)
+
+1. **Scope**
+
+- 30-minute scoping call, in which our penetration tester will be present.
+- We expect you to provide a comprehensive overview of the product, including a demo of the application. While an architectural design is not mandatory, it would be appreciated.
+- A showcase of Oneleet’s platform used for vulnerability management is provided.
+- The assigned penetration tester will attend the meeting and ask questions to better understand your application/infrastructure.
+- The Rules of Engagement will be discussed (timeline, scope, ways of communication, etc.)
+- After the scoping call we will send over a summary of what was discussed.
+
+2. **Prepare**
+
+- Provide the necessary permissions and details of the environment discussed during the scoping call, including user accounts, IP addresses, and possibly required credentials. A summary of the required information will be provided after the scoping call.
+- An invitation will be sent to your team in charge of supervising the penetration test to create an account on Oneleet’s platform.
+
+3. **Test**
+
+- Any found critical vulnerabilities will be immediately brought to your attention via Slack.
+- Using various tactics, techniques and procedures to identify security caveats, our penetration testers will attempt to exploit the identified vulnerabilities to assess how deeply they can penetrate the system.
+
+4. **Report**
+
+- The discovered vulnerabilities will be uploaded on Oneleet’s platform.
+- Once the engagement finishes, an internal team will revise the Penetration Test Report which shall be available within 2 to 3 business days.
+- The final Penetration Test Report will include an executive summary, risk ratings, detailed findings, and recommendations.
+
+5. **Remediate**
+
+- If necessary, you can remediate the vulnerabilities, and our penetration tester will retest the system within a couple of days.
+- At this stage, you also have the option to accept the risk or reject the vulnerability.
+- Once all the findings have been addressed, an updated report will reflect the new state of each finding.
+
+6. **Evaluate**
+
+- For instance, discuss any unaddressed risks that your company accepted, confirming that these decisions align with your risk management strategy. Ensure that the risk remains acceptable over time.

pages/penetration-testing/ptaas.mdx

@@ -0,0 +1,20 @@
+# Penetration Testing as a Service (PtaaS) at Oneleet
+
+## About Us
+
+Oneleet is a United States-based cybersecurity company, established and ran by experienced penetration testers. The company offers flexible penetration testing options and a comprehensive platform for managing and addressing security vulnerabilities. Its interface facilitates the tracking and remediation of security findings, ensuring that organizations maintain robust and current defenses. Oneleet provides both expert testing services and a management system to facilitate the maintenance and enhancement of security posture. The company has received backing from venture capital firms such as Y Combinator positioning itself as a key competitor that prioritizes support, effectiveness, and communication. Oneleet serves a diverse clientele, ranging from enterprises to early-stage startups.
+
+## Our Penetration Testing Goal
+
+> Identifying vulnerabilities to reduce risk. Simulating real world attacks on your applications, systems and networks.
+> 
+
+The primary objective of a penetration testing at Oneleet is to identify vulnerabilities before malicious actors exploit them, thereby fortifying your security program. We are excited to collaborate with you in your commitment to uncovering vulnerabilities and implementing robust protection measures.
+
+## Services
+
+Oneleet offers expertly conducted Penetration Testing services by our team of highly qualified professionals from NATO countries. They hold advanced certifications like OSCP and OSCE or OSWE. Our team’s expertise encompasses network penetration (wired and wireless), web and mobile application security, social engineering, and code reviews. This extensive skill set enables them to identify vulnerabilities across various systems and technologies.
+
+We provide flexible retesting options as part of our standard penetration testing package and offer a comprehensive platform for managing vulnerabilities.
+
+At Oneleet, we frequently conduct penetration tests to meet compliance requirements for frameworks like SOC 2, ISO 27001, PCI, HIPAA and more.

pages/penetration-testing/reports-documents.mdx

@@ -0,0 +1,9 @@
+# Penetration Test Reports / Documents
+
+At Oneleet, we offer several types of documents
+
+| Name | Description | Target
+|-----|-----|-----
+| Full Report | - Generated at the conclusion of the engagement.`<br>`- This report presents all the findings, accompanied by a *Description*, *Business impact*, *Reproduction steps*, and *Remediation steps* section.`<br>`- It includes an executive summary that highlights positive findings and recommendations.`<br>`- The results section provides a high-level overview, a table listing vulnerabilities, and an overview of the scope of the engagement.`<br>`- After remediation, the report will be updated to reflect the current state of each identified finding. | Internal Usage / External Stakeholders
+| Letter of Attestation | - Verifies the successful completion of a penetration test, offering a succinct summary of the scope, methodologies employed, and the tester's proficiency.`<br>`- Offers a comprehensive evaluation of the application's security, identifying the number of vulnerabilities discovered. | External Stakeholders
+| Letter of Engagement | - Notifies that you are undergoing a penetration test.`<br>`- Offers a comprehensive overview of the test's objectives, scope, methodologies, and the dates of the assessment.`<br>`- Assures you that any vulnerabilities discovered will be promptly reported for remediation. | External Stakeholders |