Defining the scope of your penetration testing work generally involves two steps:
You need to understand the context and determine whether you are the right person for the job, both from your and your client’s perspective. This is the purpose of the scoping meeting. It generally covers the following points:
Overview of the client’s company and your company
Discussions on the scope of the test
Discussions on timeline and budget
You’ve been commissioned to conduct the penetration test, and now it’s time to get started. The purpose of the kick-off meeting is to:
confirm the scope and prerequisites of the test.
sign a scoping document.
Hold a Meeting to Discuss Requirements
Step 1: Present Your Approach
After a quick round of introductions, it’s a good idea to explain the pentester’s job and role, what they do, and what they don’t do, especially if the client isn’t familiar with the process.
The more the client sees the exercise as an opportunity rather than a punishment, the more useful the information they’ll give you for the pentest.
This is when you talk about the different approaches to pentesting (e.g., black box, gray box, and white box).
And don’t forget to make it clear to the client that you won’t intentionally cause a denial of service (DoS), but do caution that it can happen, as there’s no such thing as zero risk, even when you take the usual precautions. Here’s a short anecdote to illustrate this point:
I took the network down for a few minutes during a pentest at a small company. Sounds like a disaster, I hear you say! Well, yes and no. Yes, because it shouldn’t happen, and no, because it would have been hard for me to predict that it would. In my opinion, I did the right thing by the client: I realized that this activity could have an impact, so I did it at a time that had minimal impact on the company, at the very end of the afternoon.
Let’s move on to the most important thing for you: knowing what you’ll be working on, what the client wants, and by when! This is what a scoping meeting is all about.
Step 2: Define the Scope of Testing
The most important thing is to fully understand the scope. So, ensure you ask the client all the questions you can and paraphrase the answers to be sure you’ve understood what the client wants.
Here are some important questions to ask:
To define the approach you’ll be taking:
What function does the application serve?
Why is it important to the company, and what are the main risks the client has identified for this application?
Why does the client require penetration testing (preproduction checks, regular testing, checks following the correction of previously identified vulnerabilities, regulatory requirements, etc.)?
What is the client’s preferred approach to penetration testing (black, gray, or white box)?
To determine the technical details:
What is its URL or IP address?
Are we looking at the entire server or just the application?
In particular, are services other than web services included in the scope?
Will testing be carried out in a production or acceptance test environment?
How many application profiles does the application have?
What technologies are involved? (This is more of a white-box question, but any information is good to have.)
We also recommend asking for a demonstration of the application if possible, as this is often a very effective way of assessing its complexity.
Over to You!
Scenario
Jessica Thomas, manager of the Offensive Security team at the company you work for, has forwarded Thibaut an email from a client requesting a penetration test:
Subject: Question about cybersecurity services
From: Mike King <mike.king@example.com>
To: Jessica Thomas <jessica.thomas@cybersecurity.com>
Good afternoon,
My name is Mike King, CTO of example.com, a healthtech web application that has been around for several years now. Our application aims to address some of the problems facing public hospitals in New York State, which use a system that is generally poorly computerized, with essential components such as care pathway orchestration and inventory management rarely automated. Our mission is to help these hospitals become as efficient as possible, and to improve the reliability of some of their processes.
I’m contacting you for information about your services, especially your cybersecurity services, as we need to test the security of the web application we’re deploying to our partner hospitals. We’d like to check that the application’s level of security is up to the task at hand. After all, protecting the confidentiality of patient data, in particular, is a top priority for us. Please get back to me as soon as possible so that we can discuss the possibility of working together fairly quickly. We’re based upstate in Buffalo.
Thanks!
Kind regards,
Mike King
CTO – example.com
Instructions
Jessica has asked Thibaut to prepare questions for the scoping meeting and to set up an appointment with the prospective client. And you’re going to help him do that!
Jessica has made it clear that it’s important that you suggest to the client that you carry out the assignment remotely, as they’re located too far from your offices and want to get started quickly.
In this exercise, you’re going to list the questions Thibaut will have to ask at the scoping meeting to understand the client’s needs and obtain all the prerequisites.
So, what do you think? Which questions can you come up with based on what we’ve learned so far in this chapter?
Answer Key
Step 3: Discuss the Timeline and Budget
The timeline is just as important as the assignment itself, as it contributes to the overall quality of the service you’re providing.
If you and the client are finding it difficult to agree on a timeline, try to find some middle ground. If you can’t, it’s best to just walk away. Clients will always appreciate honesty more than broken promises, and they’ll think of you again for their next project.
Lastly, you can raise the issue of their budget. Most of the time, clients will tell you that they don’t have a budget in mind (which more often than not is untrue).
Hold a Kick-Off Meeting
The kick-off meeting takes place once the client has accepted your proposal.
Step 1: Confirm the Scope and Prerequisites
At this meeting, you will do the following:
Introduce the person or team who’ll be carrying out the assignment.
Confirm the scope.
Inform all stakeholders about the testing.
Check a number of logistical aspects to avoid any unpleasant surprises, such as:
Confirm the format of deliverables: Some companies have a standardized approach and prefer you to use their formats.
Discuss and agree about the communication procedures, including document encryption: who to contact in the event of a problem; how (email, text message, etc.); and how to protect documents (encrypted ZIP, Zed!, cloud sharing, etc.).
Confirm the time windows during which you can run the tests, or those you should avoid (Hello, end-of-month payroll applications!).
Determine whether you need to send an email before each test day and to whom (Security Operations Center and/or business teams) or not.
Determine whether you can use your own computer or whether you need to ask the client to provide you with one. Be careful here though: not having your own tools is, in my opinion, a real productivity drain.
Determine whether you can work remotely via an SSL VPN account.
Checking these points ahead of time will help you build a good working relationship with the client, especially as you’re showing consideration for how they work. There have been times when I, and former colleagues, have had to reformat a deliverable because we’d forgotten the client needed it in their particular format! A document that’s just a few pages long is fine, but a 70-page report is a different matter. We’ve learned our lesson!
Step 2: Write a Scoping Document
Some certified pentesters will have a standard set of tests they need to perform. For other pentests, there are no hard and fast rules, but there are best practices to follow, such as the pentesting methodology outlined as part of the NIST Cybersecurity Framework. The scoping document is one of them.
The scoping document summarizes everything that you’ve discussed with the client (scope, procedures, etc.). It’s a fairly standard document and quick to fill in.
The reality on the ground may sometimes mean that we start testing before the document has been signed or that the document is never produced. This is not normally a problem, given that you have a contract with your client.
However, we strongly advise you to prepare this document and remind the client that you need it signed before testing can start. In fact, it provides a basis for discussion in the event of any problems with the scope or testing timeline.
Let’s Recap!
The scoping meeting is an exercise designed to gather the client’s requirements so you can put together a service proposal, either as a quotation or business proposal for an external company or as an in-house engagement agreement, for example.
At the end of this meeting, you should at least know the scope of the testing, the approach (i.e., black, gray, or white box), and the timeline.
The kick-off meeting takes place once the client has approved your proposal and is an opportunity to make sure all stakeholders are aligned with what was agreed at the scoping meeting. This is when you discuss all the technical and logistical details.
A scoping document sets out all these points clearly. This document does not override the contract between your two companies, but instead complements it.
In the next chapter, we’ll continue to plan for the testing, focusing on preparing your work environment to save time at the start of the pentest.
