HOW TO SCOPE YOUR PENETRATION TEST
If you’re reading this, then you probably don’t need to be convinced that you need to do some penetration testing.
The question now is:
What should I penetration test?
How much of “it” should I penetration test?
Where do I start?
And, I’ll answer your questions with a question of my own… What are your goals?
Are you doing a penetration test for compliance reasons?
Are you doing a penetration test to test how mature your incident response procedures are?
Are you doing a penetration test to leverage the results for some targeted budget?
Are you doing a penetration test to check out your internal exposure? External exposure? Patching?
Are you doing a penetration test to validate code as part of your software development process?
Are you doing a penetration test to verify your sensitive data is protected?
It may be that one (or all) of these things are part of what you want to achieve and it highlights why it’s so important to really think through the scope of what you want/need to be done as part of your penetration test.
But, before I answer your questions you need to know that scoping is step 1 in our 9-step pentest pathway. We have a methodology that has been proven time and time again in its usefulness. You can create your own methodology, you can wing it, you can borrow something else… but why? This is already done and you can download it for free. Click here to request to download a pdf version of the Perfect Pentest Map.
What Should I Penetration Test?
You can’t even begin to test your organization's security if you don’t know what you’re trying to keep secure (think critical assets). This is foundational in determining the scope of the security effort. Ask yourself, “Which applications and services (including business services) are critical for my organization?”
Identify the critical assets and business processes.
Determine the assets’ value to the organization with a “ranking” system.
Set appropriate levels of protection for each asset type.
Understand what data these critical applications create and where this data is stored and backed up.
Once you know these things you should have a good idea of which networks, IP ranges, databases, user accounts, web applications, environments, established security controls, etc will be part of the penetration test.
How Much Should I Penetration Test?
Most people don’t have infinite time and/or budgets, so you’ll need to decide whether you want to go narrow and deep, wide and deep, narrow and shallow, or wide and shallow. At a very high level, this is what will ultimately determine the amount of effort (and money) needed to conduct a useful test.
So, how do you determine how wide and/or deep to go? We can’t really answer that for you so you’ll want to revisit your list of questions that you’re trying to answer. Go as wide and as deep as you need to get the answers you’re looking for. Once you have your questions we can certainly help determine precisely what that means in terms of effort.
NOTE: Basic network testing may meet the minimum thresholds for some compliance regulations but if that’s all you do, expect to lose data very soon. Web applications, APIs, and databases typically have direct access to sensitive data. And, Web applications, APIs, databases typically have direct access to the internet via web ports. That means you have connected your sensitive data to the Internet and the only thing in-between is your application security. Network testing is rarely enough.