If Your Scope Is Bad, Your Pen Test Will Be Bad

Little boy with hat on in field looking through a telescope

Share

The quality of an engagement is heavily dependent on the quality of the scoping. If a penetration test doesn’t start with clear goals and mutual understanding, you’re likely leaving a lot of value on the table.

WHY DOES SCOPING MATTER?

A penetration test is, by nature, a limited engagement. The assessment team has a finite amount of time to identify critical weaknesses. What they’re able to accomplish in that time depends on the amount of information you give them during scoping. The more you provide the assessment team through the scoping process, the more value you’ll get from the assessment.

This might seem counter-intuitive, “they’re a hacker, shouldn’t they figure it out?” If a criminal has decided to target you, they have infinite time to find your weaknesses. They also don’t have to follow the law. That’s not true of your friendly neighborhood pen tester. A pen test should feel like a partnership, the assessment team wants to do everything they can to ensure they’re making your organization more secure. They might be emulating an attacker, but they’re your ally.

Keeping your pen tester in the dark only makes it harder for them to find weaknesses that you need to fix. Even if an attacker starts from zero, they have plenty of time to conduct reconnaissance and learn a lot about your organization, giving your pen tester a head start means they can get right down to the business of finding the real threats to your systems. Attackers also don’t have any limitations on what they can try. They don’t usually worry about knocking your systems offline, but a pen tester would. To maximize a pen tester’s limited time and balance out the technical limitations placed on them, provide as much information as you can. Here’s some guidelines to help you prepare for the scoping process.

QUESTIONS TO ASK BEFORE SCOPING YOUR PEN TEST

The goal of a scoping discussion is to build context. If you don’t tell us where the secret sauce is because you think the tester should be able to find it on their own, we can’t ensure we’re targeting our efforts to test those defenses. Here are some questions you can ask your team before scoping:

What is the goal of your penetration test?

What does success look like at the end of your engagement? It’s critical for both the scoping and assessment teams to know what you want to get out of a penetration test before we get started. Beyond checking off the compliance box, what keeps you up at night? You should have a business-driven understanding of where, how and by whom you might be targeted. Maybe you’re concerned about corporate espionage or insider threats more than outside attackers. It’s more useful to know the goals and intentions behind your test than what kind of test you’re looking for. Based on this information, the scoping team can help identify the right tests for your threat model.

Specific goals help refine the scope of the penetration test so the assessment team can dive deep into your areas of concern, rather than taking a broad, shallow approach.

What is the target?

Depending on your target, and your budget, the scoping team can help you identify the right test for your goals. The more information you can provide on the target during scoping, the better guidance you’ll receive. Broader scope assessments require more time to complete. If it’s an application, what kind of application is it? What is the business purpose of the target? Is it a single target that you want us to hit as hard as we can? Or do you want a broader look at the security of your systems?

If you aren’t sure how broad or specific you want the test to be, consider what makes your business unique? It’s about building the context so the assessment team can hit the ground running and deliver actionable, high-impact results. If you’re making cloud automation tools, your tech stack and our approach will be different from an online banking portal.

What are its use cases?

The next step in building the context for the test is understanding how the target is supposed to be used and who should or should not have access to the target. Does the target contain PII or proprietary information that should be protected? Does it need to have broad access permissions to ensure business operations run smoothly? A business-critical target with complex access requirements will take more time to assess thoroughly against the level of risk it may face from attackers. This again helps the scoping and assessment teams understand the type of assessment you need and the amount of time it will take.

What additional documentation do we need?

If you’re doing an application penetration test or a product security review, the scoping team will need the line of code count and API documentation to get a sense of the size and complexity of the software. For other tests, you might want to collect and provide things like a list of IPs and details of the target infrastructure, any documentation or materials that will help you accurately describe the scope of your test.

Who needs to be involved with scoping?

It may feel like “the more the merrier” when it comes to scoping but that’s not the case. This can potentially prolong the scoping process, wasting time and resources. To make sure your scoping process is both quick and comprehensive, you need to identify someone with technical, holistic understanding of the target, as opposed to nitty-gritty details. They need to speak with someone who understands how everything fits together, not the minutiae. There should also be someone involved who understands the goals of the penetration test. It’s not about titles, it’s about collecting the right knowledge.

Specifically, take the time to fill out the scoping survey with care and as much detail as you can provide. This shouldn’t be done by someone new to the company or an intern. The less the scoping team has to guess about your needs, the closer they can scope your test.

Why do we need all this information?

This may seem like a lot of information to collect but it’s important to provide the scoping team with the best information possible. The more information we have, the better we can scope to ensure you’re getting the services you need and only the ones you need. It also helps us ensure we’re allocating the correct resources, bringing the appropriate experts on to the assessment team. A pen test with Bishop Fox is a partnership, the scoping team acts as your personal shopper providing objective guidance based on what you tell them. Better scoping makes a better pen test.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Default fox headshot purple

About the author, Jessica La Bouve

Solutions Architect

Jessica LaBouve (eCPPTv2) is a Bishop Fox Alumnus who was a Solutions Architect at Bishop Fox, helping facilitate the scoping and sale of offensive security services to a variety of industries and organizations. She regularly volunteers within the information security community by working with local Girl Scout groups on STEM weekends and providing support at conferences such as DEF CON and B-SIDES Tampa.

More by Jessica

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.