Decision to utilize pentesting for security improvement
The pen-testing journey starts when the business owner decides to utilize its power to foster cybersecurity and reduce or avoid negative business impacts. The decision can be part of an overall security strategy or experimental activity to evaluate pen-testing value or even a mandatory deliverable for various certifications of the business. Supporting an internal cybersecurity team with execution of unexpected or planned&announced pen-tests by an external team can as well be a good reason for the pen-testing activity decision.
Selection of an external pen-testing provider as a partner
How to select an optimal external partner for pen-testing and what are the major aspects to be considered we’ve described in one of our previous blog-posts.
Selection of the suitable pen-testing package
A pen-testing provider offers various packages containing different services according to the required testing scope. It can be pen-testing for various environments such as web-applications, content management systems, network, clients, cloud and many more. Additional dimensions for the package selection can be a manual, automated or combined pen-testing execution.
Discovery call for scope and environment setting
The pen-testing partner has been selected and the package(s) to be executed has been agreed on – now it’s time for a discovery call. It is initiated by the external partner and requires participation of the business responsible knowing technical details of the environment to be tested. So the aim of the discovery call is to set the stage for the start of the pen-testing, as a result of which a documentation has to be created which systems are involved (production vs testing environments, for example), how to access them, whether there are any special topics to be considered, and etc.
Start of the pen-testing
Right after the discovery call the pen-testing can be started. Using manual or automated testing the defined system can experience some unexpected behavior as it will have to respond to the pen-testing actions.
Weekly and on-going online status update
Pen-testing team logs the progress of the testing activities along with tests execution and customers can review the latest logs any time online. Additionally, at the end of each week a status update email is sent to the business responsibles with a summary of the completed pen-tests and those being work in progress.
Optional: Alarm-notification, in case of business critical vulnerability detection
In case the pen-testing team detects an open vulnerability with a priority and severity being “very critical”, an immediate contact to the business responsibles is established and details of the vulnerability provided to enable timely remediation of the risks.
End of pen-testing – delivery of the results document
After completing all of the planned pen-testings and finalization of the results document, it is provided to the business responsibles, encrypted and with authentication methods to ensure only they can review the content of the document. In Addition to the information whether a vulnerability is open in a customer’s environment to be tested, it contains information about the priority and severity of each detected open vulnerability. The information on how to reproduce an open vulnerability detection and recommendation of activities on how to close it is placed in the results document as well.
Recovery call – review of the results document & Q&A
Business team can start remediation activities to close the detected vulnerabilities right after receiving the results document and get back to the pen-testing team in case any clarification is needed. Pen-testing team will schedule a review call within 1 to 2 weeks after documents delivery to make sure the content of the results is correctly received by the business team and there are no open topics.
Optional: retest of the detected vulnerabilities
Business responsible may order a pen-testing re-execution after certain period of time to retest the detected open vulnerabilities and make sure the remediation actions were successfully and no vulnerability is left open any more.