Preparing for a penetration test can be stressful to say the least.
There are many complicated processes to complete for a successful pentest — the vendor’s procurement process, the scoping and logistics of the test, and, of course, the remediation steps after the test.
PtaaS (Pentest as a Service) simplifies these processes and makes security testing easier than ever before.
Our platform supports your pentest, which will delight your security team by making these time-consuming processes more efficient. However, there is information you should be prepared to provide when performing a pentest.
Let’s take a closer look at each stage of the pentest process with our Pentest Checklist.
1. Pentest Objective & Scope
First, you must outline the objective and scope of your pentest.
This step is important as it allows testers to focus on the right aspects to ensure your company’s specific objectives are achieved. In order to do so, make sure that your team agrees on the details and checks to include in the test.
Objective
First, identify your team’s objectives. Perhaps the most important pentest objective is reducing risk. Other objectives vary, such as achieving compliance with the ISO-27001 or PCI-DSS frameworks. Another popular objective is including a 3rd party request from a prospect or investor.
Scope
Next, you must decide on the scope of the pentest. Will it be a Comprehensive Pentest for compliance for a new mobile application? Or will it focus on a specific change to a web application that only requires a targeted scope?
The latter would be perfect for Agile Pentesting, which demonstrates the importance of determining the scope of work. The scope of your pentest will direct testers to the right path and ensure they conduct the job effectively.
2. Select Pentest Type: Black-, Grey-, and White-Box Pentest
After deciding on the objective and scope, you’ll determine the specific type of pentest.The choices here range from a black-, gray-, or white-box test.
Before kicking off the test, it is important to discuss your decision internally and agree on the test that best meets your company’s needs. As lead pentester Goonjeta Malhotra explains, “It really helps us focus when we know the main areas of the application, what exactly are the functionalities, and are users actually able to follow your logic flow without breaking things. This way we can confirm not only where someone external can attack, but also where an internal user might unknowingly create a vulnerability or flaw in your systems.”
If you select a gray- or white-box pentest, the next step will be to prepare and share documentation with the pentesting team.
For the assets being tested, here’s a good list of documentation to gather for testers:
- Walkthrough videos or demos of your assets
- Process diagrams
- Data flow charts
- User role explanations
- Access control matrices
This list is not a requirement, but the additional documentation is a helpful resource to assist the testers in conducting a more thorough test.
Now let’s take a look at how to prepare for your pentest.
3. Alert Colleagues & Prepare Environment
It is a good idea to alert your colleagues of an upcoming pentest. This will ensure no one is caught off guard or has an adverse reaction once the test begins.
Furthermore, it’s important to prepare your environment before commencing the pentest. For example, IT teams should back up any critical data related to the pentest. You should not expect to lose data, but this is a precautionary step to ensure nothing is lost. Additionally, it’s often a best practice to conduct a pentest on a mirror image of your production environment rather than the environment itself.
If you are doing a gray- or white-box pentest, it’s important to set up and share credentials with the testing team. It is also critical to whitelist the pentesters’ IP addresses to ensure they have the necessary privileges to complete the pentest.
If you are conducting a black-box pentest, you will not provide the testers with information about the system or with credentials. In addition, there are times where companies want to conduct a double blind pentest and thus, they would not alert their team about an upcoming test.
Once this is complete, it’s now time to start the test.
4. Collaborate with Pentesters
Collaborating with pentesters can be a beneficial way to learn about cybersecurity best practices. Furthermore, it ensures that your team properly understands the vulnerabilities reported during the test and, most importantly, understands the necessary steps for remediation.
To streamline this process, designate a point of contact from your team to act as a liaison with the testers. This will ensure communications are streamlined and efficient for all parties involved. Furthermore, the liaison can discuss any questions the testers may raise during the testing phase, and guarantee questions are answered quickly to prevent any disruptions.
Lastly, the liaison will communicate with those analyzing the testing results and pose questions when necessary to ensure milestones are met and the project stays on track.
5. Kick off Remediation, Retesting, & Repeat
After the completion of your pentest, it’s time to kick off remediation. After triaging the detected vulnerabilities from the pentest, remedial measures will allow developers to fix any further vulnerabilities. After this, a complimentary retest on Cobalt’s PtaaS platform is available to ensure the proper patch was applied to each remeditated vulnerability.
Lastly, it’s time to repeat the process as outlined in your SDLC. Cobalt’s PtaaS platform makes this easier than ever with options to streamline your testing process such as:
- Visualize your end to end pentest program in a single platform to track improvements by leveraging historical test data
- Reduce admin work by submitting existing assets for a new pentest
- Integrate findings into your tech stack with integration such as Jira or GitHub
Conclusion
In closing, remember that a pentest can be a delightful process when using a modern, effective provider like Cobalt’s PtaaS platform. With preparation on your end, the testing process will be smooth and successful.
Furthermore, explore the State of Pentesting 2023 report to see how these preparation items impact the outcome of the test. This leading industry report not only summarizes specific examples as to how to gain more value from your pentest, but also presents many industry statistics and facts.