Update 2-4-3-Pentest.md

Author: julio-cfa

current-version/2-Process/2-4-Operation/2-4-3-Pentest.md

@@ -4,6 +4,8 @@ A penetration test, or pen test, is a simulated attack on systems and applicatio
 
 While penetration testers use automated tools for scanning and information gathering, most testing is conducted manually. Manual testing is crucial for detecting vulnerabilities related to business logic and other issues that automated scans might miss.
 
+Penetration testing can be conducted during the testing phase of the software development lifecycle, ensuring vulnerabilities are addressed before the application is deployed. It can also be performed after the application is in production to identify and mitigate security risks in a live environment, ensuring ongoing protection against emerging threats. Doing it early on in the development process may depend on how mature the organization is.
+
 ### Methodologies and Checklists
 
 A penetration test can be approached in three ways: black-box, gray-box, or white-box.
@@ -16,23 +18,27 @@ Regardless of the approach, penetration testers will generally follow publicly-a
 
 - [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) -  a comprehensive guide to testing the security of web applications and web services.
 - [OWASP Mobile Application Security Testing Guide (MASTG)](https://mas.owasp.org/MASTG/) - similar to the OWASP WSTG, it is a comprehensive guide to testing mobile applications.
-- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - ranks the top 10 most common and impactful webb application security vulnerabilities.
-- [OWASP Top 10 API](https://owasp.org/API-Security/editions/2023/en/0x11-t10/) - 10 most common security risks and vulnerabilities for APIs.
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - most common and impactful web application security vulnerabilities.
+- [OWASP Top 10 API](https://owasp.org/API-Security/editions/2023/en/0x11-t10/) - most common security risks and vulnerabilities for APIs.
 - [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) - a list containing the most common and impactful mobile application security vulnerabilities.
 
 ### Process Overview
 
 #### Assembling the team
-The composition of the penetration testing team is very important. It can either consist of internal cybersecurity professionals who understand the organization's systems and policies intimately or an external team hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
+The composition of the penetration testing team is very important. It can either consist of:
+- **Internal:** cybersecurity professionals who understand the organization's systems and policies intimately.
+- **External:** hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
 
 #### Defining a scope
-After assembling the penetration testing team, the organization must meticulously define the scope of the test. This step is critical to avoid deviations from the planned objectives or unintended testing of additional assets and endpoints. Scope definition also entails selecting the appropriate penetration testing approach: black-box, gray-box, or white-box.
-
-#### Dates and deadlines
-As part of the scope, dates for the testing must be selected
+After assembling the penetration testing team, the organization must meticulously define the scope of the test. This step is critical to avoid deviations from the planned objectives or unintended testing of additional assets and endpoints. Scope definition entails:
+- Decide between black-box, gray-box, or white-box methodologies.
+- Establish clear timelines for the testing phases.
+- Define which systems and endpoints will undergo testing.
+- Decide whether tests will occur in production, staging, or other environments.
+- Define the requirements - e.g. testing accounts, credentials, documentation, etc.
 
 #### Requirements
-Once the scope and dates are defined, the penetration testing team will inform the organization of requirements - e.g., testing credentials, application documentation, source-code access, and so forth. It is imperative that the organization provide the penetration testing 
+Once the scope and dates are defined, the penetration testing team will communicate their requirements to the organization. These may include testing credentials, application documentation, source code access, and other necessary resources. It is crucial for the organization to promptly provide all requested information and access before testing begins to ensure a smooth and effective penetration testing process.
 
 #### Execution
 
@@ -44,8 +50,8 @@ Once the scope and dates are defined, the penetration testing team will inform t
 There are several tools that can help while performing penetration test against applications. The most common are:
 - [BurpSuite](https://portswigger.net/burp) - a comprehensive software tool used for web application security testing. Key features include a proxy for intercepting and modifying web traffic, a scanner for automated vulnerability detection, and tools for performing manual testing, such as repeater, intruder, and so forth.
 - [OWASP ZAP](https://www.zaproxy.org) - an open-source tool similar to BurpSuite.
-- [Postman](https://www.postman.com/) - ests API security by sending various HTTP requests, manipulating headers, and automating tests. It helps identify vulnerabilities like authentication issues and data exposure, integrating with other security tools for comprehensive analysis.
-- [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - 
+- [Postman](https://www.postman.com/) - API testing tool that allows sending various HTTP requests, manipulating headers, and automating tests. It helps identify vulnerabilities like authentication issues and data exposure, integrating with other security tools for comprehensive analysis.
+- [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - automated, open-source tool for security testing and analyzing mobile applications, supporting both Android and iOS platforms.
 
 ### References
 - [OWASP Penetration Testing Methodologies](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies)