Whether or not you are experienced in the exercise of a security audit, you will find in this article some points allowing you to prepare your pentest well by making sure you have the necessary information and reflexes before consulting your service providers, but also to maximize your return on investment.
Definition of the scope of the penetration test
➜ Know your risks
A pentest will not replace a risk analysis of your application. This analysis is essential to define the relevant test scenarios according to the threats and impacts identified. It must be conducted with the various stakeholders of an application or a scope so as to be as exhaustive as possible and to reflect the real business impacts.
➜ Know the pentest types
Make sure you are comfortable with the terminologies used by consultants in IT security audits : internal pentests, external pentests, black box, white box, red team, vulnerability scans, social engineering… when in doubt do not hesitate to ask your service provider for a detailed presentation of the different types of IT security audits. Being comfortable with the lexicon allows you to better define your needs and have a better understanding of the offers. You can also consult the “pentest stories” trilogy on our blog in order to discover certain scenarios in a concrete way.
➜ Set clear goals
A penetration test can be motivated by different objectives: the company’s security policy, partner requirements, legal obligations, accelerate the decommissioning of an application, or assess its level of security in order to improve it. Communicating clearly on your objectives makes it possible to refine the scope, direct the mission towards certain types of tests and provide appropriate conclusions. The efficiency and return on investment of the pentest are therefore increased.
➜ Determine a budget
Whether your company manages a budget to carry out an annual audit plan or whether it is a one-shot audit, the envelope determines the quality of the penetration tests: directly because it limits the time spent by the pentester the number of scenarios executed, and indirectly because it can encourage people to go to the least expensive service providers.
Proposals should meet your needs but should not sacrifice quality over quantity either: an experienced pentester on your technological stacks and business area sera beaucoup much more effective and relevant which will allow you to achieve or even exceed the expected results, where others will be able to carry out a greater number of days, because it is cheaper, without however achieving this level of result. The service provider must also be force of proposals in order to be able to adapt its services to your budget, nevertheless being a pentester requires advanced skills and knowledge that are valued.
Do not hesitate to pick different service providers according to your needs and the scope of the audit.
➜ Determine the scope
You can determine a first scope based on your objectives, your risk analyzes and your budget. The security audit providers consulted will then be able to complement your vision thanks to their experience in the qualification of this type of mission.
➜ Roughen up cyber topics before and during the audit
During years, DSecBypass consultants realized that it was frequent during pentest restitutions to discuss vulnerabilities actually known or suspected by the technical teams: they might already be formalized in the report of an internal security tool (SAST, DAST, SCA) , or “already mentioned” by some developers but without any follow-up.
In order to optimize the work of the auditor and maximize the gains of the intrusion test, a work of compiling the various known cyber subjects can be carried out in anticipation of the audit: update the results of the different tools and make sure that you do not leave any obvious and easy-to-fix vulnerabilities that could waste the pentester’s time. Do not hesitate, depending on your objectives, to provide him with additional information to guide his research. Finally, if the context allows it, carrying out the pentest in contact with the technical team often increases the effectiveness of the tests by promoting the frequency and speed of exchanges between the latter and the auditor.
During the pentest
➜ Do not patch silently
Most security audit providers will notify you if a critical vulnerability has been exploited. You will then be able at this time to discuss whether or not it is necessary to correct it during the audit. In any case, inform the auditor of the actions that you carry out on the environment during the mission because they can falsify his tests, degrade the real impact of the vulnerability, and cause him to waste precious time. Inform your different teams so that they are not tempted to monitor the actions of the pentester with the aim, very often in good faith, of correcting the exploited vulnerabilities as quickly as possible.
➜ Capitalize on the mission
Use the logs, alerts from your security or monitoring equipment and any user feedback to analyze what you have correctly detected, make the connection with certain types of attacks and their manifestations on your consoles, identify potential gray areas, and thus improve your ability to detect security incidents.
➜ Do not let your guard down
During intrusion tests, attacks are launched from well-identified service provider systems. Stay alert to attacks that occur during the mission by making sure that they come from them and that it is not a real attack that takes place in parallel with the audit.
🛡️ DSecBypass accompanies you on your IT security services. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
