Quality Assurance in Pentesting: An Intro to Pentest Preparation

Initially, this article was going to focus on staffing and all the activities associated with putting together the most qualified individuals to cover the scope of the pentest. However, after interviewing a few of my collaborators for this series, including Encore Capital Group CISO Scott King, who I’ve quoted throughout this piece, I quickly realized the need to focus a bit more on the preparation phase of the pentesting lifecycle. In this article, I’ll detail the involvement needed from the sales and sales engineering teams to ensure proper alignment and ultimately a successful, high-quality pentesting experience.

As Pentest as a Service (PtaaS) providers work to align with customer expectations, it is critical for sales and sales engineering teams to engage in the conversation and try to discover any and all unknown variables.

“If you don't prepare right, the quality of the final output is not going to be at the level you expect it to be.” -- Scott King, CISO at Encore Capital Group

For example, at Cobalt, there are times when a customer will provide us with a Classless Inter-Domain Routing (CIDR) notation to communicate the size of the network they want assessed. While this does give us a rough estimate of the overall size of the environment, it does not give us the needed detail to gauge the full scope and level of effort needed to complete the project.

Pentesting in Practice

This is where sales and sales engineering are greatly beneficial. They can gain clarity on unknowns by asking questions like:

• How many IP addresses within the CIDR range are active/responding/live?
• What services are responding behind those IP addresses?
• What is the primary role of the assets in scope?
• What is the most important thing you feel we should know about these assets?

Giving sales engineering a seat at the table during the preparation phase of a pentest project benefits both the customer and vendor long-term. The more they can discover and clarify, the more aligned the project will be. For the customer, a more clearly defined scope of work will yield a more accurate representation of how long a project will take, which translates to a more accurate statement of work. For the vendor, this aligns expectations from Day 1 and ensures resourcing is accurate to best suit customer needs.

The information discovered in the sales cycle needs to be clearly communicated down the line to those conducting the pentests. Otherwise, how else can we continue to align and meet customer expectations? If this information is not shared, verbatim, with the testers, there are bound to be gaps in the testing process and that will translate to the perception of a low-quality engagement.

Not only is it critical to gather this information, but also it is just as important to communicate these details to project managers and testers. Having a clearly defined process to ensure this is happening sends a clear indication of the care and quality which is being taken by the delivery team. A lack of communication internally does not bode well for a quality pentest. It's important to keep this in mind as you are going through the process of defining the project particulars. If you are working with a vendor, pay special attention to how they handle this transfer of information. Similarly, if your organization has an internal security team, bringing them into the fold as soon as possible is essential.

“For me, the output is highly dependent on the level of rigor that goes into the prep work, and the level of knowledge transferred from that prep work to whoever ends up doing the testing.” -- Scott King, CISO at Encore Capital Group

We also must discuss the preparation needed before the pentest project is set to start. If the pentesting team does not have what they need to be successful, the test will be delayed, the assets won't be fully tested, or items may be missed, and customer expectations will be difficult to meet. All of this activity should be expected from the provider; however, the pentest consumer also plays a pivotal role in preparation.

From a consumer’s perspective, it is important to ensure the appropriate login credentials have been shared with pentesters, access to needed environments is verified, the need-to-know internal team players are aware, and that the test dates are confirmed. This provides a greater return on investment and maintains alignment with the project’s expectations. Not being prepared and active before and during the test is a guaranteed way to hit snags along the test period. Penetration tests are a scheduled activity with clearly defined start and end dates; if these items are not in place, resources may need to be reallocated to other projects and deadlines will be missed.

Now that we’ve started the conversation, we want to hear your thoughts on the subject of quality in penetration testing. Have something to share about the preparation phase? Did I miss anything you find critical? Send us your thoughts at [email protected]. In my next piece, we’ll be exploring the staffing of a project, both from the vendor and buyer sides.