When is It Okay to Accept Risk?
Learn about the importance of accepting risk in vulnerability management.
Learn more about penetration test pre-assessment checklists and how these checklists helps prepare your organization for a penetration test.
TL;DR:
Whenever a company is planning on doing a penetration test, we require them to prepare a pre-assessment checklist. This list of items helps to ensure that the penetration test returns information that will help the business meet its objectives, and remain on the same page as the client such as scope. Let’s look at what this checklist should include:
Details the pentesters need to know: The first element of the list should be a list of questions that outline a few details our pentesters need to know to prepare for a penetration test. For example, the pentesters may want to know if you’re looking to meet a certain compliance regulation, if you’re looking to meet a certain security standard or if you’re worried about a specific set of cyber attacks etc. Questions related to your business objectives should be included in the checklist. This way the pentesters can focus their efforts on the security gaps that you are most concerned about.
Provide information about the application: You should be asked to provide information/context about the application that will be tested. This should include things like which frameworks were used in making your app, the cloud hosting platform, the type of databases it uses, the type of API platforms and how many endpoints there are that need to be tested. Providing this information allows the testers to be more targeted in their approach and ensure that all elements of your environment are properly examined.
By providing this information upfront you remove any blockers that may delay the penetration test or negatively impact the effectiveness of the test. This information also helps guide how prepared someone is for a penetration test and the amount of work that needs to be done before the penetration test can begin. Lastly, it helps the tester prepare questions for future meetings to ensure they understand the full scope of the engagements. For example, they may want to request an application demo.
Obtaining consent and ensuring legal compliance are crucial steps in preparing for a penetration test. Before initiating the test, it's essential to discuss and agree on the specific type of pentest (black-, gray-, or white box) that best meets the company's needs. Once decided, gather and share relevant documentation with the pentesting team, including walkthrough videos, process diagrams, data flow charts, user role explanations, and access control matrices. This information helps testers conduct a more thorough assessment. Additionally, obtaining consent from stakeholders and verifying that the test won't violate any laws or regulations is vital to avoid legal issues. Collaboration with pentesters throughout the process ensures a well-prepared environment and maximizes the effectiveness of the penetration test.
Another important detail for the checklist is to outline the nature of the roles within your application. The testers will want to know what roles are being used and get a full list of working accounts per application role. For example admin accounts vs normal users vs guest accounts. Account compromise is an important part of a penetration test and by listing all of the accounts you help the testers understand the potential risk, and test for access control issues and privilege misconfigurations associated with each account.
After completing the checklist, there may be remaining action items that you need to do before a penetration test. The penetration test team should advise you on these action items, but here are the most common things people need to prepare for their penetration test.
Pre-assessment checklists help to ensure that penetration testers are thorough in their approach and cover all bases. By having a checklist to refer to, penetration testers can minimize the risk of overlooking something important and ensure that their report provides the most possible value to their clients. Understanding how a pre-assessment checklist helps with preparing for a penetration test is crucial for thorough and effective testing. This not only helps the pentesters focus efforts on higher priority threat potentials, and this can improve the ROI of your penetration test in the long run.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support