Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Penetration Testing

Ensuring The Test Meets Your Expectations I Preparing for Your First Pen Test- Part 2

Ensuring The Test Meets Your Expectations I Preparing for Your First Pen Test- Part 2
Written by

Martin Ellis,

Published on

12 Apr 2019

Ensuring The Test Meets Your Expectations I Preparing for Your First Pen Test- Part 2

 
 

Step 3: Scoping

Scoping is the process used to determine both the amount of effort required to test an application, as well as the formal boundaries of that test. This part of the process is key in ensuring that the test covers everything you are expecting it to, and the appropriate amount of testing time is determined. At this point, you should be prepared to show your provider the application in some form. This might be by providing them access to an instance of the application, through supplying screenshots or user guides, or a walkthrough on a video conference. Your pen test provider will walk you through this process, but being prepared will ease the process for both sides. It is important to ensure that you can provide enough detail for your provider to be able to accurately gauge the scale and complexity of the application; a simple, unauthenticated sales website is going to take less time to thoroughly review, than an application with complex user permissions and extensive user functionality.

The outcome of this process will be a formal scope and quote. That is a document defining what is and isn’t to be included in the test, as well as a cost. This document should be read carefully so that the scope addresses your requirements and expectations, and if you are happy you can move onto the next step.

 

Step 4: Booking the Test and Prerequisites

Booking your test may seem like a trivial process, but mistakes at this point can cause a lot of issues down the line. There are still many things to consider.

Will the application be available at the time you are proposing, is there any planned maintenance, upgrade, or are there unusual expected workloads during the suggested dates?

Will you have staff available to support the test? The consultants performing your test may have queries before and during the test. Will someone be on hand in the unlikely event that there are any adverse effects on the availability of the application?

Will you be able to get the all required prerequisites in place before the test? Prerequisites are a set of tasks that need to be completed or conditions that need to be in place before the test can start; these are typically required to be confirmed at least a few days before testing begins. Some of the prerequisite questions may feel like duplication of questions asked during scoping, however this duplication is to ensure that the original scope’s objectives are met, and that no changes have taken place since the scoping exercise; this is especially relevant if there has been a delay between the scoping phase and the test commencing.

Specific note should be made of the prerequisites asking for permission for the testing to be conducted from any third parties you may be relying on, as this can take some time. Are you able to provide user credentials for all types of users? Are there any additional authentication controls in place that might need additional setup from the testers; good examples of these are client-side SSL certificates and multi-factor authentication. Does the environment being tested contain data that can be used by the testers? This is particularly relevant for pre-production systems. It is also worth testing the prerequisites from a non-corporate device, not one connected through corporate LAN. As such a simple checklist may help:

  • Will the application be available to test during the proposed testing dates?
  • Will there be staff available from your side to support the test in the run-up and during the test?
  • Will you be able to provide prerequisites in time?
  • Have you validated the prerequisites from a non-corporate device?
  • Does the system have sufficient data available to the test accounts?

 

Step 5: First Day of Test

This should be the easy point for you, just be ready to answer any clarification questions your testers might have. Your work starts again once the report is finalised, which we shall explore further in an upcoming blog post. If you would like to be alerted about this please subscribe to the form in the corner.

You can read the first part of the blog here.

Subscribe for alerts on more Cybersecurity advice blogs, by filling in the pop-up form.