Planning penetration tests, or pentests for short, can become very complex at times. In the following, we provide you with tips that have proven to be effective in our pentest planning – based on simple questions:
What should be tested?
First of all, make a list of your IT assets (system landscapes or applications). to help you get an overview. With the help of this list, you should decide which of your assets need to be tested, with what priority, and at what depth of testing. Base your decision on the need for protection or the business continuity management relevance of each asset. It is best practice to take a risk-based approach and adapt the type of testing (pentest or scan) to the criticality of the asset, if necessary. This will provide you with a broad estimate of the effort required and the testing scope.
How should be tested?
Once you know what you want to test, you can define a suitable process for executing the tests. You should consider the fundamental process, as well as defining roles and responsibilities: Should there be a central unit that initiates the process? Who needs to be involved in the planning? In what time frame should the btests be conducted? What escalation processes are needed? Who receives the test reports in the end and what happens after that? What do we even mean when we talk about pentests, scans or re-tests? How should findings be classified? Who is responsible for fixing the findings? How do we keep track of the identified vulnerabilities and the progress of the analyses? How does feedback reach the risk management?
You should clarify these and many more organizational questions in advance, summarize them in a concept for conducting technical security analyses and communicate them within the company.
At what intervals should tests be conducted?
It is recommended to set a general schedule for the following year (or the defined test period) at the end of the year and to plan for appropriate buffers for preparation, coordination or postponement. You should prioritize and coordinate with the asset managers regarding planned releases, updates, frozen zones, etc.
Who should perform the tests?
It has become general practice in in most companies to work with two or three different service providers in the context of technical security analyses – even if the expertise to perform such analyses is available in-house. This helps to avoid “blind spots” and the different test procedures ensure that as many vulnerabilities as possible are identified. Based on your own requirements, you should decide whether to work with one service provider at a time or to distribute the assignments among several service providers. Regardless of which variant you choose, the approach for conducting the tests and the criticality classification of findings should be the same for all service providers to ensure comparability of test results. An additional tool for decision-making is the proof-of-concept method. It is a kind of “pre-test” which enables better comparability of the service providers and a well-founded quality assessment of the respective service provision.
Do you need support? Please contact us, we will be happy to help you.
