This article will walk you through the various decisions you’ll need to make when planning a penetration test. It will focus on high-level considerations and goals rather than diving into the technical details. We will lend our perspective and experience to help you understand the implications of various choices, and position you to get the most out of your penetration test.
The scope of a penetration test defines the targets, boundaries, and depth of an assessment. Defining the scope of a penetration test is critical to its success—the scope ultimately drives the goals, effort, cost, and technical steps of the test. Scoping is also key to identifying the right domains of technical expertise necessary to conduct the best penetration test.
For the purposes of this article, let’s pretend you just became responsible for the security of a web-based customer relationship management (CRM) application. Your application integrates with multiple software as a service (SaaS) providers, such as a productivity suite (e.g., G Suite or Office 365) and a variety of other APIs that customers use to aggregate lead data. The product is currently hosted in Amazon Web Services (AWS). You’re expanding your customer base, and in addition to compliance requirements, your customers are asking for a third-party penetration test.
While your primary reason for getting a penetration test may be to meet a compliance or customer requirement, you also want to find important security vulnerabilities that put your business at risk. With so many offerings at consultancies, how do you prioritize the assessments to undertake given your budget limitations to find the best fit for your product?
Take time to identify your primary business concerns and most important data. This will structure the penetration test, and allow the assessment team to focus on attempting to perform specific malicious actions to target that data. In the resulting assessment report, the consultants can then make strategic recommendations to create a defense-in-depth (multi-layered) approach, raise the bar for attackers, and limit future risk.
For most companies, there are common risks (e.g., breach of customer information or company secrets), but within those broad categories, there are specific items of larger concern.
In our example CRM application scenario, stolen business intelligence could impact future leads; however, an attacker who impersonated employee emails to customers through the Office 365 integration could be much worse.
Once you understand your prioritized business concerns, work with your development team or a consulting firm’s scoper to determine which assets in your product’s architecture present the greatest risk. Identify the key security boundaries, assumptions, and assertions to assess. From these conversations, you can develop a clear idea of the type of assessment you need, the assessment’s goals, and a targeted approach to achieve those goals.
For example, if a specific concern is email impersonation in our CRM application, this might mean an application assessment focusing on authorization controls, offline storage, caching architecture, and the single sign-on (SSO) authentication process, in addition to the standard set of vulnerabilities.
Depending on the business concerns, scopers might recommend a source code review, cloud security review, or network test. The more information or the more knowledgeable developers you can bring to the conversation, the better the team can customize the penetration test to your unique requirements.
Web applications can have a large attack surface, so it may not be feasible to test the entire attack surface due to deadlines or an already limited budget. Therefore, it is important to determine the portions that you want to do in-house or skip, versus the features that you want the consulting team to focus on. Often it’s best to leave the full application in scope and leverage assessment goals, such as specific business risks, to guide the depth of the pen test.
For our CRM application example, you might have an in-house team of AWS wizards who are well versed in secure cloud configurations. You may feel comfortable with their experience and therefore postpone a third-party cloud security review.
Instead, you could focus your consultants on a penetration test of your web application. If a few AWS-related findings result from that assessment, you can revisit the decision to postpone the cloud security review. The results of that penetration test can also help to guide future strategic security decisions.
One of the best parts about an application penetration test is that it can help establish a security baseline (not unlike a checkup at the doctor’s office). You will discover what parts of your design are trouble spots and identify weaknesses that were not previously on your radar. Additionally, you can also use the results of an assessment to help drive business objectives, such as obtaining more budget or head count.
In addition to prioritizing assets, consider asking your scoper if they can customize the level of depth on different parts of the assessment. For instance, if your team has extensive AWS experience, perhaps you might opt for a minimal exploratory assessment on cloud security to determine if more work is needed. On the other hand, you might pursue a more in-depth review of your web application’s source code if it has had some issues in the past.
Be sure to have these conversations with your scoper to customize the assessment of your product.
Annual penetration tests are a great way to keep your finger on the pulse of your application’s security. However, it’s a common misconception that annual pen tests can’t have specific goals guiding them. Consider changing the focus from year to year to get strong coverage on new features or a deeper dive on specific components. Consultancies should be able to tailor a penetration test to your specific needs and guide you through the process.
Collaborate with an offensive security consultancy to figure out the best fit for your budget, deadlines, and assessment goals. Ask questions about customizing the depth, priority targets, and their plan for achieving your goals within the proposed timeline and budget. Finally, make sure that they understand your business. Every consultancy has unique approaches and philosophies to structuring tests; take the time to find the best fit for your project.
At Bishop Fox, we help our clients take an inventory of their architecture, business risks, and external attack surface. We value the technical expertise of our clients to help inform our scoping processes, so we invest time up front to strategize with our clients to figure out the best fit for their budget, deadlines, and assessment goals.
Now that you have some good ideas for scoping out your penetration test, read our 20 Tips to Make the Most of Your Pen Test e-book.