By SureCloud’s Martin Ellis, Senior Cybersecurity Consultant.
In our previous blog, we discussed the levels of traffic a penetration testing can bring to your site and applications and how best to prepare for it which you can read here. Continuing on the discussion lets look at some of the other elements that need to be considered…
Does your system rely on email as part of its workflow? It is common for workflows to use emails for processes such as password resets, but also to communicate important updates to internal users. If a single HTTP request can trigger an email, expect your application to be sending thousands of emails.
As with the levels of traffic discussed above, it is worth considering how this might affect you; might you fill-up the email recipients’ inboxes or trigger a spam protection system? It may be worth configuring or modifying your application to batch messages into single emails to reduce the amount of traffic being sent or test these features of the application in an environment that does not email real users. It should also be considered that if any change is made temporarily, like those suggested, this may affect your test coverage due to the environment not matching the normal case.
Requests from your testers
You may receive requests from your testers during the test, and you will need someone on hand the handle this. These requests may range from simple account management issues, such as a tester needing accounts unlocked, through to technical questions. It is important to understand that your tester is not trying to trick you but is trying to be as efficient with testing as possible.
There is one proviso to the above however, and that’s if social engineering has been agreed as part of your scope. This is out of scope of this article, beyond highlighting the importance of making it clear what is and isn’t in scope for social aspects, and still maintaining a clear line of communication even while this is taking place.
What to do when things go wrong?
So, something unexpected has happened, or something has gone wrong. Your first step is always to reach out to your testers; a clear line of communication should have been agreed upfront. Where appropriate, ask them to pause what they are doing to give you breathing space but understand this will cut into your testing time.
Always remember that although your testers are looking for security issues, they are trying to help you, not cause issues. They will work with you as much as they can to make the process as easy as possible.
We hope this has provided you with peace of mind and helps you through your first tests. We will continue this series of posts with some advice on what to do post-test in an upcoming blog.