It’s come to the point where you have decided you need your application and/or service penetration tested, but the next steps seem daunting. Through this post, we shall walk you through the process you and your chosen pen test provider will travel through. In this blog we will walk through the process from that initial point to the day the test starts for an example web application.
This might sound simple, but this may be one of the biggest stumbling blocks on your first test. Your initial thought might surely be you want everything tested, but what is “everything” and is testing everything even feasible? Whilst this may be possible, the cost, time, and access required may be prohibitive. Your application may be made of many parts, and although to a user it may seem like it’s “just a web page”, there may be many components interacting. Instead of considering of the application as a whole, it may easier to think of perimeters and interfaces which an attacker might compromise.
To this end, a diagram of your infrastructure may be useful; a sketch would be fine, but I have used the Microsoft Threat Modelling Tool to produce the following example.
The point of this exercise was to build a model of the application so that we can determine the trust boundaries; these are the points that an attacker, and legitimate users, will have to pass through to gain access to the application. This process also helps to define the various interfaces available to the application. In the above example there is one major trust boundary between the Internet and the hosted application.
Firstly, let’s consider where do you want our application tested from? For your first web application test, this would typically be from the Internet side (outside the red dotted line on the previous diagram).
Next, decide on anything that you want to consider out of scope. In our example, let’s exclude the VPN connection from authenticated testing.
At this point you should have a good idea of what you want testing, so you should now reach out to your pen test providers (choosing a provider is out of the scope of this article). Depending on the amount of information you supply, your provider will likely have some questions to get the scoping stage started. It is at this point that you are explaining what you want to be tested, and this information will be converted into a scope and a quote for you in the next step.