What are the main steps and deliverables of a security testing plan?

The scope should clearly define what you want to achieve with the penetration test. Involve all relevant stakeholders in the process. Scope definition will involve identification of assets, workflows, components, APIs, internal or external facing, what types of attacks should be excluded, time-frame for execution and also relevant to the business risks and operating environment. Also, the report template should be agreed upon and signed off by the target audience.

As a cybersecurity professional, I've often found that defining the scope of a security testing plan is crucial for ensuring alignment with organizational objectives and expectations. For instance, in a recent project aimed at assessing the security posture of a cloud-based application, defining the scope involved identifying the specific components and functionalities to be tested, such as authentication mechanisms, data storage, and communication protocols. Additionally, by involving stakeholders from different departments, including IT, development, and compliance, we ensured that all relevant aspects were considered and addressed within the testing scope.

Defining the scope of a security testing plan is crucial as it provides clarity, aligns resources, manages risks, and sets expectations. A clear scope ensures efficient testing, prevents scope creep, and allows for objective assessment, while also addressing legal and compliance considerations. It forms the foundation for structured reporting and accountability, making it an essential component of an effective security testing process.

In essence, the risk assessment is a dynamic and proactive process that strengthens the security posture of the system or application. The "shift left" approach in risk assessment involves integrating risk analysis and mitigation into the earliest stages of the project, ensuring security considerations are addressed as soon as possible. Instead of treating risk assessment as a separate, later-stage activity, it becomes an integral part of the development process

In our organization, we created a matrix with assets on X axis and ways to exploit on Y Axis. We then mapped each asset with associated risk based on likelihood and severity. For example: I mapped the asset - application with API attacks. It will vary for your organization but this exercise really helped us assess our security posture. Also you want to do it collaboratively with Engineering and DevSecOps teams and not in silos. Security testing is effective only if done in the DevSecOps pipeline and hence we adopted DevSecOps collaboration very early on.

Selecting the appropriate methods and tools for security testing is essential for maximizing the effectiveness and efficiency of the testing process. In a recent engagement focused on evaluating the security of a web application, we employed a combination of manual and automated testing techniques, leveraging tools such as Burp Suite for dynamic analysis and OWASP ZAP for vulnerability scanning. By tailoring our approach to the unique characteristics of the application and its underlying technology stack, we were able to identify and remediate critical vulnerabilities effectively, thus enhancing the overall security posture of the application.

We implemented all the commerical Open source tools in our DevSecOps pipeline. Here is my recommendation: 1. SAST- Semgrep 2. Secret Scanning - Trufflehog 3. IaC scanning - TerraScan 4. Dependencies - Dependapbot 5. DAST/ IAST/ API Security Testing - Akto.io

Besides the automated tools, manual penetration testing is the most important aspect. Since this will cover flows and areas where automated tools may not be effective. This will include things like: business logic flows, custom features, etc Manual pentesting is a labour intensive effort and requires specialized skill. Therefore, it should be very focused to ensure it does not repeat the same test cases as the automated tools.

Effective reporting and communication of security testing results play a pivotal role in driving actionable insights and facilitating informed decision-making. In a recent project involving the assessment of network infrastructure security, we prepared a comprehensive report highlighting key findings, including identified vulnerabilities, their potential impact, and recommended mitigation strategies. Utilizing visual aids such as heatmaps and risk matrices, we conveyed complex technical information in a clear and accessible manner, enabling stakeholders to prioritize remediation efforts based on risk severity and business impact.

Testing should be associated with metrics: for example: mean-time-to-resolve (MTTR), total findings over a given period, criticality/risk of findings, etc. Measuring these items will help to uncover systemic, procedural, or cultural issues within a project's life cycles.