Organizational policies

  • Organizational policies are formalized statements defining how the organization intends to meet its long-term goals.
  • They can cover numerous topics, including security, privacy, compliance, and acceptable use of resources.
  • Pen test engagements should be designed so as to be in concert with existing organizational policies.

Security exceptions

  • Some organizations provide ways to apply for policy exceptions, where certain organizational policies are not enforced for identified technologies or resources.
  • Existing security exceptions should be identified as being either within or outside of the engagement's scope.


  • Network Access Control encompasses the collected protocols, policies, and hardware that govern if and how devices can connect to a network.
  • If a device can pass a health check, it can connect to the network.
  • Devices are agent-based or agentless.

Whitelisting and blacklisting (IPS/WAF whitelisting)

  • Whitelisting blocks all users or IP addresses except those included on the whitelist, while blacklisting allows all users or IP addresses except those included on the blacklist.
  • These practices are commonly used with intrusion protection systems (IPSs) and web application firewalls (WAFs).
  • It is generally recognized that implementing whitelists is more restrictive and thus more secure than implementing blacklists.

Certificate and public key pinning

  • Certificate and public key pinning is the process of associating a host with its expected X.509 certificate or public key.
  • Pinning bypasses the certificate authority (CA) hierarchy and chain of trust to lessen the impact of man-in-the-middle attacks.
  • Used in securing wireless channels, the act of pinning a certificate or public key helps guard against vulnerabilities in well-known protocols such as VPN, SSL, and TLS.