Pentest Scope: How to Determine the Testing Scope?

8. April 2020

Pentests are one of the most effective security analysis methods to check the IT security level of a company and identify opportunities for sustainable improvements. In addition, proof of conducting a pentest is an important component of many compliance requirements, such as the PCI DSS. Some preparatory steps are necessary before the actual pentest can be conducted in order to guarantee that the analysis is optimally tailored to your company. In our series, we provide you with important information  to consider when preparing for your pentest.

What is the pentest scope?

The pentest scope defines the environment to be tested, including all systems and applications involved. Important criteria for defining your scope are the need for protection, possible risks of compromise and the time allocated for the pentest.

1. Criterion: Need for protection and risk assessment

The need for protection of an IT asset (system landscapes or applications) is determined based on protection objectives and the data that is processed, stored and/or forwarded.

Protection objectives are special requirements for an IT asset that must be fulfilled. The three most important protection objectives are:

  • Confidentiality: No information is disclosed to unauthorized persons.
  • Integrity: Neither the data nor the underlying systems can be changed by unauthorized users.
  • Availability: The IT asset and stored data can always be accessed and used as intended.

You should also examine the risks associated with a compromise or violation of the protection goals. Ideally, a company maintains an inventory list of its IT assets in which the assets are classified according to their protection goals. Using this list, the pentest scope can be determined more quickly.

2. Criterion: Attack scenarios, analysis approach and depth of testing

Possible attack scenarios should be based on protection needs and risk assessments. You should examine which type of attacker (e.g. person with access to the system) can reach or possibly compromise an IT asset in which manner. The protection requirements, the risk assessment and the selected attack scenarios result in a proper analysis approach that represents the motivation and means of an attacker.

The depth of testing determines the extent and intensity of the analysis of an IT asset. The appropriate depth of testing should always be selected depending on the defined protection requirements and the risk. Consequently, an asset with a very high protection requirement and a high risk should be tested more intensively than an asset with a low protection requirement and a low risk.

3. Criterion: Available timeframe

Since the testing scope can be defined relatively broadly, the time allocated for the analysis is an important criterion for determining the scope. If there is only a short time frame available for the analysis, the focus should always be on reviewing the IT assets with the greatest protection need. The scope is therefore always dependent on the time allocated. 

For very large system landscapes or a greater number of identically structured applications, “sampling” of the IT assets to be tested can be useful. In such a sampling process, identical IT assets that are likely to have similar vulnerabilities are identified. A relevant sample for the pentest can be chosen from the list of identical IT assets, which significantly reduces the time required.


Do you need assistance with the planning, implementation or post processing of your pentests? Businesses worldwide rely on usd HeroLab’s highly trained team to identify gateways for attackers and demonstrate ways to sustainably improve their IT security. We are happy to assist you with all your requirements.

Contact us, we will be happy to discuss your options.

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories