mbraylyan
commented
9 months ago The scope after some initial consideration probably won't go beyond scanning. Currently, the LC doesn't have a Pentesting team working alongside its Risk Assessment team, and it's unrealistic to ask a team of that size to handle both simultaneously. This means that it's likely that the scanner of choice might miss something, but it's unfortunately a bit outside of scope to pentest.
WebApp Risk Assessments frequently feature penetration testing, as many WebApps are quite secure by default, and scanners may not pick up on certain nuances. However, penetration testing may not be a practice doable by the LC's Risk Assessment team. This needs to be discussed with team leaders and management. Furthermore, the actual scope of the scans needs to be determined. Without much knowledge of how the scans work, it can be difficult to set a proper scope.