Menu Icon
< back to main
 • 4 min read

3 Tips for Preparing for a Pen Test

Lessons learned from over 300 pen tests

3 Tips for Preparing for a Pen Test
Jakob Storm
Jakob Storm

Jakob Storm is Co-founder and Chief Product Architect at Cobalt. In his current role, Jakob helps guide the development of the Cobalt platform, working closely with product teams and business stakeholders to drive Cobalt’s architectural roadmap and ensure strong business/technology alignment.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

3 Tips for Preparing for a Pen Test

I’m the Chief Operations Officer at Cobalt, a Pen Testing as a Service company that has performed over 300 pen tests to-date. It’s my job to make sure that each and every one of our pen test programs is up and running properly. A large part of that deals with preparing organizations and pen testers for the pen test engagement. If you know that you are going to be running a pen test, internal or external, then you need to get your ducks in a row and prepare for it.

Often times there is a negative connotation associated with pen testing preparation; that it’s this agonizing, irritating, and time-consuming task. However, this doesn’t have to be the case. Our customers tell us that their teams overall spend is about 3 hours preparing for a Cobalt pen test. Though these 3 hours of work are not done all at once, and are not necessarily completed by the same individual.

These three tips will help make preparing for a pen test much easier:

1. Drop the Silos — Align security and development teams

To effectively find and fix application security issues there needs to be collaboration and communication between the security, product, and development teams. Organizations can use pen testing to facilitate this conversation. Pen test findings serve as a great feedback loop for this conversation, and it gives developers an opportunity to understand the real-world implications of writing insecure code.

However, security organizations often focus on defect discovery instead of focusing on process and cross-functional relationships that are required to get issues fixed. By involving and coordinating with dev teams in the beginning of the pen testing preparation process then they will be more committed to fix the issues found. Developers should have an understanding around what is happening. Security teams will get better responses from dev, and dev will not feel like they are getting pushed around from security.

Note to security teams: Remember to deliver the good news about securely built modules etc. — this creates positive reinforcement and a nice work climate.

If you prepare the teams and align them on what will be tested. You can better facilitate a more open and positive line of communication during the pen test.

2. Focus on the Important — Clear and impactful scope

One common mistake with preparing for a pen test is that the security team feels that they need to provide the pen tester with every single nitty-gritty detail about their application. Although including every detail can add a little value it is often a lot of unnecessary work. What is more important is to provide the tester with the critical workflows, key features, and data flows. Give them the important information, and that’s it. Too much information can make the important details get lost in the dust, as well as, take away from everyone’s valuable time.

The best way to think about it is, “what can I provide that gives the tester the information needed to perform the test, and that doesn’t take away too much of my/his/her time.” Maybe that is creating a short screen sharing video of common workflows, or providing a checklist of key features. That is up to you to decide, but just remember it’s not about just about quantity, quality plays a larger role.

3. Work with Experts — Obtain the right pen testers

It’s a no-brainer that you want to have highly skilled and qualified pen testers looking into your application, but it’s also just as important to have those tester’s skills match the scope of what you want tested. Skills matching is a critical component to achieving quality results in any penetration test. The benefit of a pen test shouldn’t just be in discovering vulnerabilities, but using that knowledge to reduce the risk associated with the application. The more important attributes of any penetration tester are skill set, experience, and performance. When choosing your testers, this could be internally or externally with pen test providers, you need match their skills to your tech stack. You want the tester to be familiar with what they are testing.

If you have the right workflows set in place, preparing for a pen test can be easy. Know what you’re testing, communicate this to the right teams, and have the best individuals, given your scope, perform the testing.

Hope these tips offer some guidance in preparing your pen test program. This blog was the first in a series about the pen testing process. Look out for the next blog post in this series that will dive into tips for kicking off your pen test.

Related Stories

How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens