DDactic
Find What Defenses Miss
Responsible Testing Guidelines
These guidelines establish ethical standards and best practices for conducting security assessments. All DDactic engagements follow these principles to ensure safe, legal, and responsible testing.
Core Principles
1. Authorization and Consent
Always Obtain Written Authorization
- Never test without explicit written authorization
- Authorization must specify scope, methods, and timeline
- Verify authorization before beginning any testing activities
- Document authorization for all engagements
Scope Adherence
- Test only authorized systems and networks
- Use only authorized testing methods
- Respect defined boundaries and limitations
- Request new authorization for scope changes
2. Minimize Impact
Non-Intrusive Methods First
- Prefer passive reconnaissance over active scanning
- Use rate limiting to avoid overwhelming systems
- Schedule testing during low-traffic periods when possible
- Monitor for service disruptions and pause if detected
Resource Conservation
- Use efficient scanning techniques
- Avoid redundant or unnecessary testing
- Minimize bandwidth and resource consumption
- Clean up test artifacts after completion
3. Responsible Disclosure
Immediate Critical Findings
- Report critical vulnerabilities immediately
- Provide sufficient detail for remediation
- Work with clients on disclosure timelines
- Never publicly disclose without client consent
Coordinated Disclosure
- Respect client preferences for disclosure
- Support responsible disclosure practices
- Help clients understand risk and remediation
- Maintain confidentiality of findings
4. Data Protection
Data Minimization
- Collect only data necessary for assessment
- Avoid accessing sensitive data when possible
- Use anonymized data for analysis when feasible
- Delete unnecessary data promptly
Secure Handling
- Encrypt data in transit and at rest
- Limit access to authorized personnel only
- Use secure channels for data transmission
- Follow client data protection requirements
Testing Methodologies
Passive Reconnaissance
Recommended Methods:
- DNS enumeration and analysis
- Certificate transparency logs
- Public information gathering
- WHOIS and domain research
- Social media and OSINT
Benefits:
- No impact on target systems
- Undetectable by security systems
- Legal and ethical
- Provides valuable intelligence
Active Scanning
When Authorized:
- Port scanning and service enumeration
- HTTP/HTTPS service analysis
- Vulnerability scanning
- Network topology mapping
Best Practices:
- Use rate limiting
- Avoid peak business hours
- Monitor for service impact
- Stop if disruptions detected
Architecture Analysis
Approach:
- CDN and infrastructure evaluation
- DDoS mitigation assessment
- Origin infrastructure analysis
- Network security posture evaluation
Considerations:
- Requires deeper access
- May involve multiple systems
- Coordinate with client IT teams
- Document all findings
Prohibited Activities
Without Explicit Authorization
The following activities are NEVER permitted without explicit written consent:
- Denial of Service (DoS): Any activity that could cause service disruption
- Data Modification: Altering, deleting, or modifying any data
- Data Exfiltration: Copying or removing data beyond assessment scope
- Privilege Escalation: Attempting to gain unauthorized access levels
- Destructive Testing: Any testing that could cause permanent damage
- Social Engineering: Manipulating personnel for access or information
- Physical Access: Attempting physical access to facilities or systems
Ethical Boundaries
Respect Client Systems:
- Treat client systems as if they were your own
- Avoid unnecessary risk or disruption
- Respect business operations and priorities
- Maintain professional boundaries
Legal Compliance:
- Comply with all applicable laws
- Respect computer fraud and abuse laws
- Follow data protection regulations
- Maintain necessary authorizations
Testing Phases
Phase 1: Planning and Preparation
Activities:
- Review authorization and scope
- Identify authorized targets
- Plan testing methodology
- Coordinate with client contacts
- Prepare testing tools and environment
Deliverables:
- Testing plan
- Contact information
- Schedule confirmation
Phase 2: Passive Reconnaissance
Activities:
- Domain enumeration
- Public information gathering
- DNS and certificate analysis
- Network mapping (passive)
Duration: Typically 1-3 days
Impact: None (passive methods)
Phase 3: Active Scanning (If Authorized)
Activities:
- Port scanning
- Service enumeration
- HTTP/HTTPS analysis
- Vulnerability scanning
Duration: Typically 3-7 days
Impact: Minimal (with rate limiting)
Phase 4: Analysis and Reporting
Activities:
- Data analysis and correlation
- Risk assessment
- Remediation recommendations
- Report preparation
Duration: Typically 5-10 days
Impact: None (analysis only)
Communication Guidelines
Pre-Testing Communication
- Confirm testing schedule and window
- Verify emergency contact information
- Discuss any concerns or special requirements
- Provide testing methodology overview
During Testing Communication
- Regular status updates (daily or as agreed)
- Immediate notification of critical findings
- Notification of any issues or disruptions
- Response to client inquiries within [X] hours
Post-Testing Communication
- Summary of testing activities
- Preliminary findings overview
- Timeline for report delivery
- Availability for questions and clarification
Incident Handling
Incident Detection
Monitor For:
- Service disruptions or downtime
- Unexpected errors or responses
- System performance degradation
- Security alerts or notifications
Incident Response
Immediate Actions:
- Stop all testing activities
- Assess the situation
- Notify client emergency contact
- Document incident details
- Work with client to resolve
Follow-Up:
- Incident report
- Root cause analysis
- Prevention measures
- Lessons learned
Quality Assurance
Testing Quality
- Use validated tools and methodologies
- Verify findings before reporting
- Cross-reference multiple sources
- Document testing procedures
Report Quality
- Accurate and factual findings
- Clear risk assessments
- Actionable recommendations
- Professional presentation
Continuous Improvement
Learning and Development
- Stay current with industry best practices
- Learn from each engagement
- Share knowledge with team
- Improve methodologies and tools
Feedback Integration
- Solicit client feedback
- Review engagement outcomes
- Identify improvement opportunities
- Update guidelines and procedures
Compliance
Legal Compliance
- Computer Fraud and Abuse Act (CFAA)
- State and local computer crime laws
- Data protection regulations (GDPR, CCPA)
- Industry-specific regulations
Industry Standards
- OWASP Testing Guide
- PTES (Penetration Testing Execution Standard)
- NIST Cybersecurity Framework
- ISO 27001 standards
Resources
Training Materials
- Ethical hacking courses
- Responsible disclosure training
- Legal and compliance training
- Tool-specific training
Reference Documents
- Authorization to Test Agreement
- Safety Policy
- Master Service Agreement
- Statement of Work
Acknowledgment
All DDactic personnel must:
- Read and understand these guidelines
- Apply guidelines to all engagements
- Seek clarification when uncertain
- Report violations or concerns