How to get the most out of your PenTest #4
Project Timelines and Prerequisites
?
Introduction
If you've been following this series, you'll know by now that I believe the devil is in the detail! If you haven't and want to catch up, take a look at my previous posts on choosing a vendor, rules of engagement, and scoping and you might find some useful snippets in there.
The purpose of this series is to try and support businesses to get better value from their penetration testing programs and from the vendors they partner with. I offer some insights from my experiences with customers as to what most commonly causes challenges in arranging a penetration test, and how these challenges can be easily sidestepped with a few small tweaks.
I joined the security services industry after a 5 year stint recruiting in the information security space - in recruitment you have to quickly learn to adapt when speaking with candidates, hiring managers, talent acquisition teams, and HR alike; all of these people have different agendas and requirements. Working in that industry taught me a lot about the importance of viewing the same topic from multiple perspectives and I believe that applying that to this process helps to form better communication and understanding between both customer and vendor.
Today’s post is really about knowledge sharing, to enable you (the customer) to view the scheduling and set up of an assessment through the lens of the vendor to ensure that a chink in the chain doesn't degrade the value of your assessment.
?
Scoping Time Scales
You will by this point have received a proposal from your chosen vendor/s. In my last post I mentioned the importance of questioning project timelines if they don't match up to your estimates and feeling you can ask for justification of the day-count proposed. In my experience there are many ways to scope the time frame of an assessment but typically if a vendor is scoping accurately, they are informed by a few things:
Size: How large is the in-scope environment? Vendors will use this to best gauge how long it may take to ensure good coverage of an application, network, cloud environment, or bespoke product.
Complexity: This could be as simple as the difference between brochureware, and a complex banking application, having loads of complex RBAC, or something more bespoke like a product built in-house that necessitates the provision of architecture diagrams, documentation, and thorough scoping calls with your product team.
Tech Stack: Similar to the above, are you using off the shelf products or something more bespoke or unusual? Generally, the more common a technology is, the more penetration testers will have knowledge of it, and therefore the easier it is to scope and test. In some cases, research time may need to be added to a project that is custom in order to develop POCs for testing - this inevitably adds time.
Methodology: This could be anything from standard web application assessment informed by OWASP Top 10 to a deep dive into specific scenarios based on threat modelling exercises with your team - obviously the latter may take longer.
Reporting Time: Reporting is done alongside testing, or at the end - it very much depends on the penetration testers involved and how they best work. Either way, time will need to be factored in for this, and generally the larger the scope, the more potential reporting time in order to ensure a thorough deliverable as the likelihood is, the increased scope leads to increased findings.
In some assessments there will be some project management involved, but typically the majority of what you'll be paying for is testing time - and that's a good thing. The more time spent testing the more comprehensive an assessment is likely to be. But in all assessments there is an element of time capping, this is because a real threat actor might spend months conducting recon on your estate and trying to leverage weaknesses in it to access sensitive data, and therefore we have to make timeline estimates based on the above list.
Do question time lines, but also if you trust your vendor, take their advice as well. A lot of customers I have worked with really want to hear that penetration testing is a science, that it is a tick box exercise a penetration tester can go through to cover everything in depth. The reality is that unfortunately its more of an art, an art informed by various frameworks, regulation, methodologies and research, but an art none the less! The reason for this is that putting those things aside, penetration testers are human beings, and they all think differently. This means that there is no standard way that your vendors staff will cover an assessment, so thorough scoping and open communication is important.
?
Scheduling
Once you are comfortable with the timeline for the assessment, and you're looking to schedule (assuming of course this is not an urgent/last minute), make sure you think about the following:
Deadlines: Do you need the report by a specific time? Do you have a release date you need to hit? Do you have a regulatory obligation to test by a specific date? Do you also need to retest and remediate in that time frame?
领英推荐
The best thing to do is communicate this at the start of the vendor initiation process, but if you haven't, do it NOW. At NetSPI we provide our findings as soon as they are verified, on the NetSPI platform so you can set about remediation straight away, but lots of vendors give you a PDF report 5-10 days after the last scheduled day of the project, so be sure to check this and factor it into your schedule. If timelines are tight, don't be afraid to ask for daily updates so that you can start thinking about remediation sooner - the only catch here is that daily calls and admin do eat into testing time so speak to your vendor in order to best manage this and ensure a thorough assessment.
Blockers: There are likely to be events in your calendar and your vendor's that are not conducive to a smooth assessment. Think about the holiday schedules of your team and what resource you may need for the planning and duration of the project and try to schedule around them. You may also want to consider important events and public holidays, even big security conferences that may mean your vendor has small gaps in testing. Where possible, schedule to avoid these! AND better still, if you aren't in a rush - ask your vendor who the absolute best person/team to test this is, based on skill set, and find out when they are available!
Prerequisites: One of the main reasons I mentioned taking holidays into account (even though it seems super obvious) is because of the importance of raising prerequisites in time. In fact, this needs its own subheading - imagine it’s in red!
?
Prerequisites
I had an assessment last year with a large financial services business, which was planned months in advance and the customer had done everything right. Unfortunately, they neglected to tell us that someone was on holiday in the lead up to the start date. This person was responsible for creating the user accounts we needed to test - so whilst their attendance during the test was not technically necessary (hence why the customer neglected to mention it), when it came to gathering prerequisites, we ended up having to wait until they were back, which was on the first scheduled testing day :-/
It is really important, where planning permits, to schedule kick-off and prerequisites calls a few weeks in advance and provide what your vendor needs at least 1 week prior to the start date as a minimum. Lots of customers forget that the penetration testers assigned to their project are billable, and so it is very likely that they are moving straight from another customer project and onto yours. Giving them adequate time to test all of your prereqs and access before your project starts avoids losing valuable testing time later. In my experience around 50% of the user accounts and other access provided typically needs some level of tweaking to ensure your vendor has the right level of access to complete a thorough assessment WITHOUT caveats to your report caused by delays or disruptions to testing environments.
I touched on this in my last post, but if you read anything more than the pricing section in your vendors proposal, please let it be the prerequisites section in detail! Give yourself lots of time to gather them before your assessment begins and if you think you'll have any issues provisioning anything on that list - tell your vendor straight away.
Prerequisites are literally The No.1 Reason for delays in testing! You're likely to be paying by the day, don't blow your budget to pay for penetration testers to be sat around waiting for access! Also, on a side note: all of the penetration testers I have worked with absolutely hate this - keeping them happy has always been a big part of my job so that I know I am getting the absolute best out of them on an assessment for my customers - because lets be really honest someone that is happy, cares a lot more about doing a good job, so please don't poke the bear ha-ha!
If you have a good vendor, they will have scoped comprehensively but also conservatively, with your budget in mind, delays in testing just completely devalue the quality of your assessment and final deliverable, so try and make sure an issue with prereqs doesn't cause testing delays for you.
Lots of the things I've touched on today seem like obvious things to consider, but sometimes it’s the small things that trip you up. Don't let any of these be that piece of Lego that you tread on today and Ride on Time, smoothly through your next pen test engagement.
Happy Friday! And if you don't reach for your nearest device to listen to that amazing 90's hit now I'll eat my hat!
As always, these are my own opinions, formed from my time working to support customers with the smooth running of their assessments with me. I'm always open to hearing your feedback, ideas and thoughts so feel free to reach out to me or comment!
If this has been useful for you though, keep an eye out for future posts in this series on: