A while back our Co-Founder, Esben Friis-Jensen, offered insights on how to plan out your annual pentesting strategy. We wanted to revisit this idea and flush out the details around planning, but this time, with a spin on our pentest program approach. In recent articles, we’ve written a lot about pentest programs.
How a programmatic approach to pentesting works, and what to expect from it
What the lifecycle of an effective pentest program looks like
In this article, we’ll take a closer look at how to set your pentest program up for success by nailing the planning stage.
Step #0: Don’t Skip This
If there’s one thing every pentest program needs, it’s buy-in from stakeholders, engineering teams, and management. If you have it, your program will thrive. If you don’t, it won’t matter how well constructed the rest of your program is — it will never perform to its full potential.
The reason is simple. Pentest programs are designed to uncover bugs and vulnerabilities so they can be fixed. If your developers aren’t engaged with the program or don’t have time set aside to work on fixes, the value of uncovering bugs diminishes substantially. In addition, you need management to buy in so that you are able to fund you program and get support from all necessary stakeholders.
A pentest program is an opportunity to build security testing directly into the software development lifecycle. For this to be possible, you’ll need to start building relationships between security and development teams as early as possible.
6 Steps to Plan an Optimal Pentest Program
Step #1: Set objectives
It’s easy to wander into pentesting simply because it ‘needs to be done’. But not all programs are made equal, and depending on your objectives the structure of an optimal pentest program could look quite different. So before you dive in, take the time to determine exactly what your program needs to achieve.
For example, you might need to:
Ensure testing of specific assets for compliance purposes (e.g. PCI-DSS)
Regularly test all assets that store or access sensitive data
Regularly test business critical assets
Complete testing every time a critical asset is updated
Step #2: Identify and prioritize assets
Before you start choosing which assets to include in your program, you first need to be sure you are aware of all current assets. For small organizations, this step is usually quite simple. However, for enterprise-scale organizations, it can be much more challenging.
A spreadsheet can be a useful tool to help you keep track, and can also be used to note salient information on each asset such as:
Whether any large or critical releases are scheduled for this year
When the asset was last tested
Asset complexity, e.g., the number workflows and user types it uses
Whether the asset is in scope for any compliance assessments, e.g., PCI-DSS
Whether the asset stores sensitive information
It may be that not all assets are equally important to your organization. Your pentest program should aim to provide maximum coverage for your most critical assets while testing less critical assets more infrequently. For low priority assets, it may even be that automated testing is sufficient.
Step #3: Check release schedules and planned changes to infrastructure
A pentest program should provide continuous security coverage for in-scope assets. For that to be possible, pentests should be scheduled whenever a significant change occurs — either through a planned code release or a more major infrastructure change.
Before you start scheduling pentests, get a full picture of the organization’s intended product release strategy during the program period. Also, to keep your bases covered, plan for some ad-hoc testing to account for any surprises along the way.
Step #4: Determine your budget
So far we’ve never come across an organization that has a limitless budget for security testing. Given that, your pentest program should be designed to make maximal use of available resources.
A pentest program can happen on a budget, but sometimes tough decisions need to be made. Perhaps only the assets that have compliance impacts are included in the scope to begin with. Frequency of testing can also be limited to maximize value on a budget. What’s most important in this situation is to educate the business on the risks of not conducting a pentest on a digital asset on a regular basis or to the depth necessary. This isn’t fear mongering, but as security professionals we’re responsible for driving education of risks. Raising these risks are a great way to add budget to fund security programs that reduce or eliminate risk.
Once you have an idea of your budget, you can work with your pentesting provider to ensure expectations align with the program.
Step #5: Scope the program
This is where the rubber meets the road. The precise content of a pentest can vary significantly depending on which assets are in scope, how frequently they need to be tested, and what priorities you set. Now you know what budget you’re working with, you’ll be able to design a pentest program that strikes a balance between cost and cyber risk reduction.
It’s at this point that you’ll need to make final decisions such as:
Which assets will be in scope?
What schedule will the program work to?
How often will assets be tested?
How long will each testing window be?
How will issues be fed back to engineering?
Once again, make sure you’re working closely with development teams throughout the planning process. After all, it’s logical to base testing frequency on release schedules, but only if developers are available to work on fixes.
Step #6: Source pentesters
Sourcing testers for a pentest program is not trivial. Most traditional penetration testing providers are booked weeks in advance, making it a challenge to secure testers at regular intervals.
This is where Cobalt’s Pentest as a Service model adds value. The Cobalt platform gives you on-demand access to a large pool of vetted pentesters with almost no lead-in time, making it an ideal choice for regular pentesting. It also caters well to ad-hoc pentesting, in case an unexpected need arises.
How To Build a Comprehensive Pentest Program
If you’re thinking about setting up a pentest program, the process laid out above will serve you well. However, there are a few other things you should know. To guide you through the process, we’ve created the Comprehensive Guide to Building a Pentest Program.
Download the guide today to learn:
What a pentest program is, and how it differs from other security testing options.
Why a programmatic approach to testing outperforms other delivery models for most needs.
A detailed guide to building a pentest program, from conception to review.
Who to involve in your program, and how to gain executive buy-in.
How we created our own pentest program at Cobalt, and what lessons we’ve learned.
Why pentest programs are the ideal way to minimize cyber risk associated with digital assets.
Download the free guide here or check out the webinar below: