To get the most from a penetration test, your organization must do the necessary prep work. Doing prep work makes the job easier for the security experts and can help them to find more vulnerabilities throughout the test. Both the testers and the client have responsibilities when it comes to making the test a success. This article will discuss six unique ways an organization can properly prepare for a penetration test.
The first thing you should do to prepare for your penetration test is to get management involved. This is important for several reasons. Firstly, you want to understand any business objectives directly tied to this penetration test, for example, you may have a compliance or certification-related audit coming up, and this test may be intended to help the organization meet those requirements. Secondly, they can add context to the scope of the test. Getting the security director involved is great, but having team members like devs and CISOs can also help fill in business and organizational contexts from different perspectives. For example, devs can help answer different questions about code. CISOs may have certain objectives in mind they hope to achieve and can help determine the priority of assets. Lastly, your security directors can help pull it together and organize these groups toward the goal.
Next, you want to provide as much knowledge about the organization and its products as possible. The more context of a company's business and application(s), the better it will be at helping the penetration test team identify top priorities and the most likely and most dangerous threats. Understanding your application's function, backend, data, and other functions will help you connect the dots for the penetration test team. Another useful piece of information to provide is any past penetration tests, audits or other security-related issues. This can provide valuable insight into the company's weak areas, and the testers can examine that to ensure those past issues were properly addressed. Lastly, it can be very valuable to describe the application's use case, do a demo, and help the testers understand how customers would navigate the application. Understanding how people interact with the application can help the testers understand what the most common attempted attacks would be and what they need to test for.
It is essential for a business to have an objective or priorities when it comes to penetration testing. Ask yourself what you want to achieve, and this can help the pen testers prioritize your needs with the test. Your needs could be testing a new application that you plan to launch, preparing for an upcoming audit, or it could be making sure that specific data within the company is properly protected etc. You should also have priorities established when it comes to expectations for how the test will be conducted. You should have an SLA that outlines things like what dates and times the environment can be tested, how long it should take and what the priorities are for when the report is received.
Another practice that can help tremendously with penetration testing is threat modeling. Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Pentesters use the threat modeling process to combine their insights with the client's products/assets/data flow to determine the most relevant potential threats. One of the most important diagrams to provide for penetration testing is the basic deployment diagram (BDD). BDD is a chart/diagram that shows the connectivity and pathways between hardware and software. BDD can help pen testers see the connections between different softwares and where there might be potential access/entry points for the threat actors. It also helps to ensure that the test environment that the pen testers are working on is accurate. One of the biggest issues pen-testers have is that they will be given a test environment that is not laid out in the same way as the customer would see it and interact with it. In these situations, even if the test is conducted properly, then the results of the penetration test may not be applicable to the company's production environment.
Companies that are organized with the information needed for the penetration test make the process much smoother and give the pentesters more time for actual testing. If they are blocked/waiting for things like credentials, a complete list of assets to be tested or any other form of delay this will negatively impact testing time and can cause delays. Being proactive and prepared can help your team find more vulnerabilities, faster. Here are some final items that you should have ready before the start date of your penetration test:
The last item on our list is for you to prepare for the post-report aspect of the test. Anytime you do a penetration test, you should plan for vulnerabilities to come back and how your team will allocate resources to fix these issues. This is important for ensuring quick remediation of issues. This will be important if you have a tight deadline involved in the process, for example, if you have an audit scheduled within the next few months. By having the resources ready to go beforehand, you can expedite the process and ensure you meet your deadlines. Also, to confirm that you have applied the fixes correctly, you should prepare for a retest with whatever guidelines for remediation your pentester gives you. Going forward, to stay on top of future vulnerabilities, we suggest all clients continue doing quarterly pen tests to optimize your security program.
Pentesting can be an important part of your organization's security strategy, while it's important to find a reputable and experienced vendor it’s also important for clients to be properly prepared before the pentest. By doing this work upfront, you help the pen testers be much more efficient with their time and find more vulnerabilities during the test. Check out 4 ways security leaders uses penetration testing to elevate their security programs!