Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Third-Party Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Penetration Testing

Questions You Should Ask when Preparing For Your First Pen Test

Questions You Should Ask when Preparing For Your First Pen Test
Written by

Martin Ellis

Published on

30 Oct 2023

Questions You Should Ask when Preparing For Your First Pen Test

 
 

Breaking down your Penetration Test prep questions

It’s come to the point where you have decided you need your application and/or service penetration tested from potential cybersecurity threats, but the next steps may seem daunting. Within this blog we will walk through the process from that initial point to the day the penetration test starts for an example web application, and some of the considerations to bear in mind when working out what questions to ask your pen test provider.

Step 1: What do you want testing?

This might sound simple, but this may be one of the biggest stumbling blocks on your first pen test. Your initial thought might surely be you want everything tested, but what is “everything” and is testing everything even feasible? Whilst this may be possible, the cost, time, and access required may be prohibitive. Your application may be made of many parts, and although to a user it may seem like it’s “just a web page”, there may be many components interacting. Instead of considering of the application as a whole, it may easier to think of perimeters and interfaces which an attacker might compromise.

To this end, a diagram of your infrastructure may be useful; a sketch would be fine, but I have used the Microsoft Threat Modelling Tool to produce the following example.

 

The point of this exercise was to build a model of the application so that we can determine the trust boundaries; these are the points that an attacker, and legitimate users, will have to pass through to gain access to the application. This process also helps to define the various interfaces available to the application. In the above example there is one major trust boundary between the Internet and the hosted application.

Firstly, let’s consider where do you want our application tested from? For your first web application penetration test, this would typically be from the Internet side (outside the red dotted line on the previous diagram).

Next, decide on anything that you want to consider out of scope. In our example, let’s exclude the VPN connection from authenticated testing.

 

Step 2: Approach Pen Test Providers

At this point you should have a good idea of what you want testing, so you should now reach out to your pen test providers (choosing a provider is out of the scope of this article). Depending on the amount of information you supply, your provider will likely have some questions to get the scoping stage started. It is at this point that you are explaining what you want to be tested, and this information will be converted into a scope and a quote for you in the next step.

You can read part 2 here, where we discuss scoping, booking the test and the first day of the test.

Subscribe for alerts on more Cybersecurity advice blogs, by filling in the pop up form.