Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Penetration Testing

Managing traffic from your first pentest I Are you ready for your first test? Blog 1

Managing traffic from your first pentest I Are you ready for your first test? Blog 1
Written by

Martin Ellis

Published on

20 Jan 2020

Managing traffic from your first pentest I Are you ready for your first test? Blog 1

 
 

So, you have booked your first test, and now you are wondering what you should be prepared for?  

 

In this blog, we will talk about… 

  1. The sort of traffic you are likely to see from your testing provider
  2. How this might affect you
  3. The choices you make around testing

We will be looking at this from the point of view of a web application test, but many of the themes apply to infrastructure testing as well. These points all need to be caveated with that they cover the general case and may not cover all cases you have agreed to during scoping. 

 

What might I expect during testing? 

In this section, we are going to briefly discuss some of the common things we have seen clients struggle with or were not expecting during testing.  

Levels of traffic

During testing you are likely to see a lot of traffic; for some clients, this may be far more traffic than your site is used to seeing, and may include requests that a real user is unlikely to try repeatedly. That single slow request that isn’t an issue because users only call it once might suddenly be being called hundreds of times. What you should remember is that this is not a load test; the testers are not trying to crash your site through traffic. If you are seeing slowdown with your website that is affecting other users, reach out to your tester and ask them to slow down testing in general or inform them of specific requests that are causing issues.

There are a few things you should consider before testing that may help with the above. Can you recover the site quickly if there is an issue? SureCloud would recommend testing how long it takes to recover from a host failing under load. In the unlikely event that a server fails due to traffic during a test, is this downtime acceptable to you?

It should also be noted that the traffic from the testers is likely to be intermittent because testing features of applications produces a large amount of data that your testers will have to process. You are likely to see a large influx of traffic as the testers investigate a feature, followed by lulls in traffic as they process the responses; this is normal and should be expected as good testing has a large amount of manual work and review.

The final takeaway is that if a tester can take down your website or application, it is highly likely that an attacker can too, and an attacker will have the ability to direct far more traffic at you than your testers are using.

 

Types of traffic

Your testers will be throwing traffic at your application that it is unlikely to have seen before because how an application handles unexpected traffic and requests will help them to determine if it has any security vulnerabilities. This traffic will be trying to find bugs in both your infrastructure and application logic and will include malformed requests at all levels of the messages.

This is likely to produce a lot of logging information; this is normal. Depending on the application, you may also receive messages that can trigger virus alerts, which is also to be expected. Where possible SureCloud recommends implementing specific filtering of logging coming from your testers source addresses. This information should not be thrown away, as it may contain valuable information to help diagnose issues discovered during testing; instead, it should be reviewed, and by filtering the logs from your usual logs you will help prevent testing masking real issues affecting real clients of the application.

If you do see traffic that you are concerned about, first check the source of the traffic to see if it is coming from your testers, and then reach out to them. They will be able to explain what was happening at the time and may be able to clarify things for you.
It should be noted as well that unless otherwise specified it is usual for other services exposed to the internet from your web application server to also be in scope. If this is something, you explicitly don’t want this should be agreed with your testers during the scoping phase.

Subscribe below to get alerted about part 2 of this blog – we continue to look at the different elements you should prepare for including requests from your testers and what to do if something goes wrong.