Scoping is the process used to determine both the amount of effort required to test an application, as well as the formal boundaries of that test. This part of the process is key in ensuring that the test covers everything you are expecting it to, and the appropriate amount of testing time is determined. At this point, you should be prepared to show your provider the application in some form. This might be by providing them access to an instance of the application, through supplying screenshots or user guides, or a walkthrough on a video conference. Your pen test provider will walk you through this process, but being prepared will ease the process for both sides. It is important to ensure that you can provide enough detail for your provider to be able to accurately gauge the scale and complexity of the application; a simple, unauthenticated sales website is going to take less time to thoroughly review, than an application with complex user permissions and extensive user functionality.
The outcome of this process will be a formal scope and quote. That is a document defining what is and isn’t to be included in the test, as well as a cost. This document should be read carefully so that the scope addresses your requirements and expectations, and if you are happy you can move onto the next step.
Booking your test may seem like a trivial process, but mistakes at this point can cause a lot of issues down the line. There are still many things to consider.
Will the application be available at the time you are proposing, is there any planned maintenance, upgrade, or are there unusual expected workloads during the suggested dates?
Will you have staff available to support the test? The consultants performing your test may have queries before and during the test. Will someone be on hand in the unlikely event that there are any adverse effects on the availability of the application?
Will you be able to get the all required prerequisites in place before the test? Prerequisites are a set of tasks that need to be completed or conditions that need to be in place before the test can start; these are typically required to be confirmed at least a few days before testing begins. Some of the prerequisite questions may feel like duplication of questions asked during scoping, however this duplication is to ensure that the original scope’s objectives are met, and that no changes have taken place since the scoping exercise; this is especially relevant if there has been a delay between the scoping phase and the test commencing.
Specific note should be made of the prerequisites asking for permission for the testing to be conducted from any third parties you may be relying on, as this can take some time. Are you able to provide user credentials for all types of users? Are there any additional authentication controls in place that might need additional setup from the testers; good examples of these are client-side SSL certificates and multi-factor authentication. Does the environment being tested contain data that can be used by the testers? This is particularly relevant for pre-production systems. It is also worth testing the prerequisites from a non-corporate device, not one connected through corporate LAN. As such a simple checklist may help:
This should be the easy point for you, just be ready to answer any clarification questions your testers might have. Your work starts again once the report is finalised, which we shall explore further in an upcoming blog post. If you would like to be alerted about this please subscribe to the form in the corner.