FASA 4: PENGUJIAN
SISTEM
METODOLOGI
PENGUJIAN
Metodologi pengujian adalah
pendekatan sistematik untuk menguji
perisian atau sistem yang sedang
dibangunkan. Ia melibatkan
perancangan skop pengujian,
penyediaan data ujian, pelaksanaan
skrip ujian, pemantauan kecacatan, dan
penilaian kualiti untuk memastikan
kebolehpercayaan, prestasi, dan
keselamatan sistem yang diuji.
Pengujian penerimaan sistem aplikasi merupakan penentu keyakinan bahawa
sistem yang dibangunkan telah memenuhi keperluan bisnes dan keperluan
pengguna yang ditetapkan. Pengujian juga bertujuan untuk memastikan bahawa
fungsian sistem yang dibangunkan sedia digunakan. Sebarang kesilapan yang
ditemui perlu ditambahbaik, diperbaiki dan diuji semula.
01 Pengujian
RUJUKAN PROSES & PENGUNAAN METHOD SERAHAN
Spesifikasi Pelan Induk
Penyediaan Pelan
Keperluan Sistem Penyediaan Pelan Pengujian
Ujian Penerimaan
Induk Pengujian
UAT/PAT
Spesifikasi Reka Dokumentasi
Bentuk Sistem Perseduaan
Ujian
Spesifikasi
Integrasi Sistem Penyediaan Pelan
Dokumentasi UAT/PAT
Laporan Ujian Persediaan Ujian
Sistem Laporan
UAT/PAT
Ujian Penerimaan Ujian Penerimaan
Pengguna (UAT) Provisional (PAT)
Penyediaan Pelan
Ujian Penerimaan
UAT/PAT
Aktiviti-aktiviti yang dilaksanakan di dalam fasa pengujian adalah berkaitan dengan
penyediaan pelan ujian dan dokumentasi berkaitan ujian, serta pelaksanaan
pengujian penerimaan oleh pengguna ke atas sistem. Pengujian yang dimaksudkan
adalah Ujian Penerimaan Pengguna (UAT) dan Ujian Penerimaan Sementara (PAT).
Ujian ini dilaksanakan sebagai validasi ke atas sistem aplikasi yang dibangunkan
berdasarkan keperluan pengguna dan keperluan sistem bagi memastikan keperluan
tersebut dipenuhi sebelum sistem aplikasi dilaksanakan.
Pengujian Sistem
Pengujian penerimaan sistem aplikasi merupakan penentu keyakinan bahawa sistem yang
dibangunkan telah memenuhi keperluan bisnes dan keperluan pengguna yang ditetapkan.
Pengujian juga bertujuan untuk memastikan bahawa fungsian sistem yang dibangunkan sedia
digunakan. Sebarang kesilapan yang ditemui perlu ditambahbaik, diperbaiki dan diuji semula.
Pengujian hendaklah dirancang dengan teliti berdasarkan tempoh, kos dan keperluan sumber yang
disediakan agar sistem yang dibangunkan mencapai tahap kualiti yang ditetapkan. Hasil keputusan
ujian yang diperolehi melalui pelaksanaan pengujian yang teratur dan pematuhan kepada amalan
terbaik akan menjadi pertimbangan bagi pemegang taruh dalam memutuskan pelaksanaan sistem.
Pengujian akan dilaksanakan dengan melibatkan pengguna sistem termasuk SME, pemilik proses dan
pengguna akhir. Ekspektasi pengguna terhadap sistem akan dinilai melalui 2 aktiviti utama iaitu:
Ujian Penerimaan Pengguna (UAT)
Ianya menilai dari aspek fungsian
Ujian Penerimaan Provisional (PAT)
Ianya menilai dari aspek fungsian dan bukan fungsian
Dokumen rujukan untuk Fasa Pengujian Penerimaan adalah seperti berikut:
1. D03 Spesifikasi Keperluan Sistem.
2. D04 Spesifikasi Reka bentuk Sistem.
3. D08 Spesifikasi Integrasi Sistem.
4. D11 Laporan Ujian Sistem.
Dokumen serahan untuk Fasa Pengujian Penerimaan adalah seperti berikut:
1. D12 Pelan Induk Pengujian (Master Test Plan).
2. D13 Pelan Ujian Penerimaan Pengguna (UAT)/Ujian Penerimaan Pengguna Provisional (PAT).
3. D14 Laporan Ujian Penerimaan (UAT & PAT)
Untuk memastikan aktiviti dalam fasa pengujian berjaya dilaksanakan, faktor-faktor yang perlu
diberi perhatian sebelum dan semasa aktiviti pengujian dilaksanakan adalah seperti berikut:
1. Spesifikasi Keperluan Bisnes, Spesifikasi Keperluan Sistem dan Spesifikasi Reka bentuk Sistem
yang didokumenkan adalah lengkap dan telah dipersetujui oleh pengguna.
2. Ujian sistem (ujian unit/ komponen, ujian sub-sistem/ modul dan ujian integrasi sistem) telah
dijalankan dengan sempurna. Sistem bebas daripada ralat dengan tahap severity tinggi yang
boleh menggagalkan fungsi utamanya.
3. Pengurus / Ketua Ujian berpengalaman serta berkelayakan dalam merancang dan
mengendalikan ujian.
4. Persediaan terperinci bagi ujian penerimaan seperti jadual pelaksanaan ujian, undangan penguji
serta kesediaan persekitaran pengujian.
5. Komitmen daripada semua peringkat pemegang taruh diperlukan semasa pengujian
dilaksanakan.
Selain daripada faktor di atas, penggunaan tools yang bersesuaian di dalam pengurusan,
pelaksanaan dan kawalan pengujian juga memberi nilai tambah di dalam kejayaan pengujian.
05 Pelaksanaan
Tujuan pelaksanaan sistem adalah untuk memastikan sistem yang dibangunkan dapat berfungsi
dengan lancar mengikut spesifikasi yang telah di minta oleh pengguna. Fasa pelaksanaan
merupakan fasa yang melibatkan aktiviti-aktiviti peralihan daripada sistem yang lama kepada
sistem yang baru. Ia akan melibatkan perubahan dari cara kerja manual kepada cara baru yang
berasaskan kepada sistem berkomputer. Proses peralihan boleh dilaksanakan ke atas sistem semasa
dengan membuat penambahbaikan mengikut keperluan yang baru. Semasa fasa pelaksanaan, isu-
isu yang melibatkan bisnes, teknikal dan orang awam hendaklah dikenalpasti dan diambil tindakan.
Aktiviti-aktiviti dalam Fasa Pelaksanaan adalah:
1. Pelaksanaan Migrasi Data
2. Ujian Penerimaan Akhir
3. Penyediaan Manual Pengguna
4. Serahan Sistem Aplikasi
RUJUKAN PROSES & PENGUNAAN METHOD SERAHAN
Pelan Laporan
Pembangunan Migrasi Data
Pelaksanaan Penyediaan Manual
Sistem
Migrasi Data Pengguna
Laporan
Pelan Migrasi Penamatan
Data Ujian Penerimaan Ujian (FAT)
Akhir (FAT)
Laporan PAT Manual
Penggunaan
Sistem Aplikasi Serahan Sistem
Aplikasi Laporan
Serahan
Sistem
Aktiviti utama di dalam fasa pelaksanaan adalah melaksanakan aktiviti ke arah persediaan
pelaksanaan sistem. Aktiviti-aktiviti yang dilaksana di dalam fasa ini adalah migrasi data, ujian
penerimaan akhir, persediaan manual pengguna dan laporan serahan sistem.
FASA 5: SECURITY
POSTURE
ASSESMENT (SPA)
Tender Perkhidmatan
Penyelenggaraan Perisian, Aplikasi
dan Perkakasan Sistem Electronic
Trade Union Information System
(e-TUIS) Jabatan Hal Ehwal Kesatuan
Sekerja (JHEKS) Malaysia
A Proposal for Jabatan Hal Ehwal
Kesatuan Sekerja (JHEKS)
CONFIDENTIAL
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Tender Perkhidmatan
Penyelenggaraan Perisian, Aplikasi
dan Perkakasan Sistem Electronic
Trade Union Information System
(e-TUIS) Jabatan Hal Ehwal Kesatuan
Sekerja (JHEKS) Malaysia
A Proposal for Jabatan Hal Ehwal
Kesatuan Sekerja (JHEKS)
CONFIDENTIAL
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
01 Introduction
02 Executive Summary
03 Approach & Methodology
3.1 Proposed Scope of Work
3.2 Pre-Assessment Phase
3.3 Assessment Phase
3.4 Post Assessment Phase
3.5 Security Testing Tools
CONTENT
05 Project Management
06 Nominated Consultants
07 Maintenance & Support
08 Why Choose Us?
09 Project Reference
01 Introduction
02 Executive Summary
03 Approach & Methodology
3.1 Proposed Scope of Work
3.2 Pre-Assessment Phase
3.3 Assessment Phase
3.4 Post Assessment Phase
3.5 Security Testing Tools
CONTENT
05 Project Management
06 Nominated Consultants
07 Maintenance & Support
08 Why Choose Us?
09 Project Reference
01
Introduction
Company Background
© 2021 Nexagate Sdn Bhd. All Right Reserved.
01
Introduction
Company Background
© 2021 Nexagate Sdn Bhd. All Right Reserved.
Meet Nexagate
Your Trusted Cybersecurity Partner
Project Secured Client Base Established Since Manpower Global Certification
300+ 250+ 2010 45+ ISO/IEC 27001
Critical projects Excellence in end to end 10 years and growing Members and
secured & delivered Cyber Security solution strong growing CREST
Laos Philippines
Risk & Compliance Audit & Testing Managed Protection
Malaysia Establish & Improve Assess & Test against Defend & Protect
Security Processes Cyber Threats Against Cyber Threats
Singapore
Indonesia
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Meet Nexagate
Your Trusted Cybersecurity Partner
Project Secured Client Base Established Since Manpower Global Certification
300+ 250+ 2010 45+ ISO/IEC 27001
Critical projects Excellence in end to end 10 years and growing Members and
secured & delivered Cyber Security solution strong growing CREST
Laos Philippines
Risk & Compliance Audit & Testing Managed Protection
Malaysia Establish & Improve Assess & Test against Defend & Protect
Security Processes Cyber Threats Against Cyber Threats
Singapore
Indonesia
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Leadership Team
Great Leaders Make Great Teams
Khairul Naim Nur Aisyah Benyazwar Mohmd Norzakimi Zahari
Deputy Managing Director Chief Human Capital Officer Chief Security & Risk Consulting Chief Technology Officer
& Chief Security & Strategy
BMM (hons) Media Innovation and MSc Comm Eng (Manchester, BSC Computer Science (UTM)
BEng Computer Eng (MMU) CISSP, Management, UK) ISMS/ISO27001 Certified CISSP, PMP, ISMS/ISO27001
GIAC HTQ, JNCIA, ITIL Multimedia University Lead Auditor Certified Lead Auditor
ISMS/ISO27001 Certified Lead Auditor
Khairil Effendy
Managing Director
MSc Comm Eng (Manchester, UK)
CCNP/A, CCDP/A, JNCIA,
ITIL, CCRSSS
Tuan Faisal Azmy Ahmad Tarmizi Suziyanti Shahrudin
Chief Marketing Officer Chief Product Officer Chief of Managed Security
M. Sc Business Information BMM (Hons) Interface Design BEng Computer Eng (MMU)
Technology (Manchester, UK) Multimedia University ISMS/ISO27001 Certified Lead Auditor
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Leadership Team
Great Leaders Make Great Teams
Khairul Naim Nur Aisyah Benyazwar Mohmd Norzakimi Zahari
Deputy Managing Director Chief Human Capital Officer Chief Security & Risk Consulting Chief Technology Officer
& Chief Security & Strategy
BMM (hons) Media Innovation and MSc Comm Eng (Manchester, BSC Computer Science (UTM)
BEng Computer Eng (MMU) CISSP, Management, UK) ISMS/ISO27001 Certified CISSP, PMP, ISMS/ISO27001
GIAC HTQ, JNCIA, ITIL Multimedia University Lead Auditor Certified Lead Auditor
ISMS/ISO27001 Certified Lead Auditor
Khairil Effendy
Managing Director
MSc Comm Eng (Manchester, UK)
CCNP/A, CCDP/A, JNCIA,
ITIL, CCRSSS
Tuan Faisal Azmy Ahmad Tarmizi Suziyanti Shahrudin
Chief Marketing Officer Chief Product Officer Chief of Managed Security
M. Sc Business Information BMM (Hons) Interface Design BEng Computer Eng (MMU)
Technology (Manchester, UK) Multimedia University ISMS/ISO27001 Certified Lead Auditor
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Industry Recognitions
Credentials and Certifications
Certified ISMS / ISO27001 MSC Status Company Certified CREST in Penetration Testing
Certified Information Security Management MSC Status Company in the field of Recognised by an international accreditation
System (ISMS) ISO 27001 since 2012. Global Business Services since 2013 organisation in providing penetration testing
Listed as Top 25 Cyber Security Technology Companies Among only 5 local companies that have been certified Top 3 local companies that have won in
in Asia Pacific by APAC CIO Outlook for 2017 by CSM for Penetration Testing Service Providers the inaugural Cyber100 Competition
Featured by Frost & Sullivan
Featured by Frost & Sullivan Cyber Security Case Studies for our industry-leading Managed Web Security Services
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Industry Recognitions
Credentials and Certifications
Certified ISMS / ISO27001 MSC Status Company Certified CREST in Penetration Testing
Certified Information Security Management MSC Status Company in the field of Recognised by an international accreditation
System (ISMS) ISO 27001 since 2012. Global Business Services since 2013 organisation in providing penetration testing
Listed as Top 25 Cyber Security Technology Companies Among only 5 local companies that have been certified Top 3 local companies that have won in
in Asia Pacific by APAC CIO Outlook for 2017 by CSM for Penetration Testing Service Providers the inaugural Cyber100 Competition
Featured by Frost & Sullivan
Featured by Frost & Sullivan Cyber Security Case Studies for our industry-leading Managed Web Security Services
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Industry Recognitions
Credentials and Certifications
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Industry Recognitions
Credentials and Certifications
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Major Clients
Major Clients Who Trust Our Services
Banks/FSI
Telco/SP
Government
Various
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Major Clients
Major Clients Who Trust Our Services
Banks/FSI
Telco/SP
Government
Various
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.1 Proposed Scope of Work
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.1 Proposed Scope of Work
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
SPA as a Requirement
SPA for Compliance
On 17 November 2009, MAMPU issued a general circular named “Surat Pekeliling Am Bilangan 3 Tahun 2009 -
th
Garis Panduan Penilaian Tahap Keselamatan Rangkaian Dan Sistem ICT Sektor Awam” which provides guidelines on
assessing the state of security of network and ICT systems of the public sector. Among the contents of this document
is that it is the responsibility of each departmental head to ensure that a Security Posture Assessment is performed at
least once a year within the department. Also, should a third party be appointed to perform the assessment, the third
party must be capable and qualified with proper credentials such as those which are certified by the ISMS standard
ISO/IEC 27001.
The Security Posture Assessment has also been known to be a method of complying with security controls 12.6.1
Control of Technical Vulnerabilities under the ISO/IEC 27001 Information Security Management Systems, ISMS
standard. It is very crucial that the current network infrastructure and systems is assessed, vulnerabilities identified,
and recommended countermeasures are to be implemented in order to mitigate the risks of compromise the
confidentiality, integrity and availability of information systems.
By performing a Security Posture Assessment, an organization is already complying with one of the major
requirements of an Information Security Management System.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
SPA as a Requirement
SPA for Compliance
On 17 November 2009, MAMPU issued a general circular named “Surat Pekeliling Am Bilangan 3 Tahun 2009 -
th
Garis Panduan Penilaian Tahap Keselamatan Rangkaian Dan Sistem ICT Sektor Awam” which provides guidelines on
assessing the state of security of network and ICT systems of the public sector. Among the contents of this document
is that it is the responsibility of each departmental head to ensure that a Security Posture Assessment is performed at
least once a year within the department. Also, should a third party be appointed to perform the assessment, the third
party must be capable and qualified with proper credentials such as those which are certified by the ISMS standard
ISO/IEC 27001.
The Security Posture Assessment has also been known to be a method of complying with security controls 12.6.1
Control of Technical Vulnerabilities under the ISO/IEC 27001 Information Security Management Systems, ISMS
standard. It is very crucial that the current network infrastructure and systems is assessed, vulnerabilities identified,
and recommended countermeasures are to be implemented in order to mitigate the risks of compromise the
confidentiality, integrity and availability of information systems.
By performing a Security Posture Assessment, an organization is already complying with one of the major
requirements of an Information Security Management System.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Scope of Work
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment
Phase:
No Scope of Works Objectives
External Penetration Ascertain the state of security of target network in resisting a frontal attack from the Internet or
1 other untrusted network
Testing
Internal Penetration
2 Address residual weaknesses by identifying internal access points and insecure hosts.
Testing
Web Application Ascertain susceptibility of web applications to unauthorized attempts via tweaking of its
3 functionality and programming logic
Penetration Testing
Host Assessment
4 Ascertain how robust the systems are to a direct frontal break-in attempt.
(Operating System)
Host Assessment
5 (Network/Security Perform review of security configurations of network devices.
Devices)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Scope of Work
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment
Phase:
No Scope of Works Objectives
External Penetration Ascertain the state of security of target network in resisting a frontal attack from the Internet or
1 other untrusted network
Testing
Internal Penetration
2 Address residual weaknesses by identifying internal access points and insecure hosts.
Testing
Web Application Ascertain susceptibility of web applications to unauthorized attempts via tweaking of its
3 functionality and programming logic
Penetration Testing
Host Assessment
4 Ascertain how robust the systems are to a direct frontal break-in attempt.
(Operating System)
Host Assessment
5 (Network/Security Perform review of security configurations of network devices.
Devices)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Scope of Work
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment
Phase:
No Scope of Works Objectives
Host Assessment
6 Ascertain how robust the systems are to a direct frontal break-in attempt.
(Database)
Application Load/Stress
Provide a strategic assessment to evaluate the overall level of application and system
Test (Application
7 responsiveness, throughput, reliability and scalability under a various given workload level. It is
Performance
also meant to help establish the performance acceptance criteria for application service delivery.
Assessment)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Scope of Work
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment
Phase:
No Scope of Works Objectives
Host Assessment
6 Ascertain how robust the systems are to a direct frontal break-in attempt.
(Database)
Application Load/Stress
Provide a strategic assessment to evaluate the overall level of application and system
Test (Application
7 responsiveness, throughput, reliability and scalability under a various given workload level. It is
Performance
also meant to help establish the performance acceptance criteria for application service delivery.
Assessment)
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section
3.4 Post-Assessment Phase:
➢ External Penetration Testing
➢ Web Application Penetration Testing
➢ Source Code Review
➢ Application Load/Stress Test (Application Performance Assessment)
➢ Analysis & Reporting
➢ Knowledge Transfer
➢ Hardening Workshop
➢ Post Review
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Proposed Scope of Work
In summary, we are proposing the following scope of work, which are detailed in Section 3.3 Assessment Phase and Section
3.4 Post-Assessment Phase:
➢ External Penetration Testing
➢ Web Application Penetration Testing
➢ Source Code Review
➢ Application Load/Stress Test (Application Performance Assessment)
➢ Analysis & Reporting
➢ Knowledge Transfer
➢ Hardening Workshop
➢ Post Review
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
3-Phase Approach
The applied methodologies and standards used in our security assessments are in compliance to the following best practices:
• Institute for Security and Open Methodologies (ISECOM) - Open-Source Security Testing Methodology Manual (OSSTMM)
• National Institute of Standards and Technology (NIST)
• ISO/IEC 27002 Information Technology – Code of Practice for Information Security Management
• The Open Applications Security Project (OWASP) – OWASP Application Penetration Checklist
PRE-ASSESSMENT ASSESSMENT POST-ASSESSMENT
• Project Planning & • External Penetration Testing • Findings
Initiation • Internal Penetration Testing Consolidation
• Confirmation of SoW • Web Application Penetration • Develop Reports
Testing
• Information • Host Assessment (Operating • Executive
Gathering System) Presentations
• Host Assessment • Knowledge Transfer
(Network/Security Devices) and Trainings
• Host Assessment (Database)
• Application Load/Stress Test • Hardening
(Application Performance Workshop
Assessment) • Post Review
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
3-Phase Approach
The applied methodologies and standards used in our security assessments are in compliance to the following best practices:
• Institute for Security and Open Methodologies (ISECOM) - Open-Source Security Testing Methodology Manual (OSSTMM)
• National Institute of Standards and Technology (NIST)
• ISO/IEC 27002 Information Technology – Code of Practice for Information Security Management
• The Open Applications Security Project (OWASP) – OWASP Application Penetration Checklist
PRE-ASSESSMENT ASSESSMENT POST-ASSESSMENT
• Project Planning & • External Penetration Testing • Findings
Initiation • Internal Penetration Testing Consolidation
• Confirmation of SoW • Web Application Penetration • Develop Reports
Testing
• Information • Host Assessment (Operating • Executive
Gathering System) Presentations
• Host Assessment • Knowledge Transfer
(Network/Security Devices) and Trainings
• Host Assessment (Database)
• Application Load/Stress Test • Hardening
(Application Performance Workshop
Assessment) • Post Review
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.2 Pre-Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.2 Pre-Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Pre-Assessment
This phase comprises of the following activities:
Project Kick-off Meeting
This involves meeting with JHEKS to introduce the team and to establish an understanding on how the project will be delivered
and to align expectation to the Statement of Work. The agenda may include sharing of the Project Objective Statement, Project
Organizational Chart, Roles and Responsibilities, Change Management, and an overview of the Statement of Work. Further to
this meeting, the Statement of Work (aka Project Charter) will be finalized and formalized between JHEKS‘s Project Manager
and our Project Manager.
Technical Design/Info Gathering Discussion/Workshop
This activity uses the Solution Specification / Test Plan Document. The project team engages the customer in meetings or
workshops where the solution or test approach is elaborated to a level of greater detail. The information gathered (e.g.: current
security policy, current network diagrams, password policies, business continuity plans, incident response plans etc) will assist
our team to move into the next phase. The result of this activity may come in form of solution specification or test plan
documents, by which the project’s delivery will be implemented against.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Pre-Assessment
This phase comprises of the following activities:
Project Kick-off Meeting
This involves meeting with JHEKS to introduce the team and to establish an understanding on how the project will be delivered
and to align expectation to the Statement of Work. The agenda may include sharing of the Project Objective Statement, Project
Organizational Chart, Roles and Responsibilities, Change Management, and an overview of the Statement of Work. Further to
this meeting, the Statement of Work (aka Project Charter) will be finalized and formalized between JHEKS‘s Project Manager
and our Project Manager.
Technical Design/Info Gathering Discussion/Workshop
This activity uses the Solution Specification / Test Plan Document. The project team engages the customer in meetings or
workshops where the solution or test approach is elaborated to a level of greater detail. The information gathered (e.g.: current
security policy, current network diagrams, password policies, business continuity plans, incident response plans etc) will assist
our team to move into the next phase. The result of this activity may come in form of solution specification or test plan
documents, by which the project’s delivery will be implemented against.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Pre-Assessment
Sample of Request for Information (RFI) document used to collect technical information:
Approach & Methodology
Pre-Assessment
Sample of Request for Information (RFI) document used to collect technical information:
03
Approach & Methodology
3.3 Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
03
Approach & Methodology
3.3 Assessment Phase
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
EXTERNAL PENETRATION TEST
OBJECTIVES
Ascertain the state of security of target network in resisting a frontal attack from the Internet or other untrusted network.
KEY ACTIVITIES
Performed from outside the target network such as from the public cloud, Wide Area Network (WAN) and branches/site offices, based on
4 steps methodology:
1. Network Surveying
2. Port scanning
3. Vulnerability Scanning & Service identification
4. Verification & Exploitation
EXPECTED RESULTS
List of hosts vulnerable to external attacks, together with their list of vulnerabilities.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
EXTERNAL PENETRATION TEST
OBJECTIVES
Ascertain the state of security of target network in resisting a frontal attack from the Internet or other untrusted network.
KEY ACTIVITIES
Performed from outside the target network such as from the public cloud, Wide Area Network (WAN) and branches/site offices, based on
4 steps methodology:
1. Network Surveying
2. Port scanning
3. Vulnerability Scanning & Service identification
4. Verification & Exploitation
EXPECTED RESULTS
List of hosts vulnerable to external attacks, together with their list of vulnerabilities.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
INTERNAL PENETRATION TEST
OBJECTIVES
Address residual weaknesses by identifying internal access points and insecure hosts.
KEY ACTIVITIES
A penetration is performed within the same Local Area Network (LAN) or from internal trusted nodes of the target network, based on 4
steps methodology:
1. Network Surveying
2. Port scanning
3. Vulnerability Scanning & Service identification
4. Verification & Exploitation
We will also attempt to acquire the application’s username and password during this assessment.
EXPECTED RESULTS
List of vulnerable hosts together with the list of vulnerabilities identified.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
INTERNAL PENETRATION TEST
OBJECTIVES
Address residual weaknesses by identifying internal access points and insecure hosts.
KEY ACTIVITIES
A penetration is performed within the same Local Area Network (LAN) or from internal trusted nodes of the target network, based on 4
steps methodology:
1. Network Surveying
2. Port scanning
3. Vulnerability Scanning & Service identification
4. Verification & Exploitation
We will also attempt to acquire the application’s username and password during this assessment.
EXPECTED RESULTS
List of vulnerable hosts together with the list of vulnerabilities identified.
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Methodology
Network Penetration Test
© 2021 Nexagate Sdn Bhd. All Rights Reserved.