Preparation is the first stage in the pentesting lifecycle.
What does this entail? For us at Cobalt, preparation includes the pre-sales cycle, scope agreement, testing brief creation, tester staffing, credential sharing, and any kickoff or preparation calls needed before the testing begins. In other words, everything that is needed to perform the pentest must be aligned upon during this step.
The preparation phase is absolutely critical to the success of the pentest, and it’s also the first place where we define what quality will look like. It sets the tone for the entire engagement both from a customer and vendor perspective. Breaking this stage up into smaller parts enables us to focus on the impact each has on defining the quality of the engagement.
Here, I will delve into the pre-sales cycle and scoping process -- two key components of the preparation stage -- and explain how they are pivotal for defining the quality of a pentest engagement:
During the pre-sales process, customers' expectations are derived from their motivation or need for the pentest, as well as any other experiences they have with a vendor they have engaged in the past. At times, it is upon us, as the vendor, to re-align expectations, especially when other vendors have set unrealistic or erroneous expectations around how they deliver or approach the work. Ensuring that we are all on the same page benefits the entire delivery process, and adds to trust and customer loyalty.
Knowing motivations and expectations, a sales team can work to ensure a vendor is capable of delivering to both. The motivation for a pentest drives the quality. For example, bolstering an organization’s overall security posture is a very different motivation than ticking boxes to impress a potential customer or snag a new certification. Those motivations can translate into vastly different end results: A proactive, preventative pentest program is very different from a compliance-driven pentest engagement.
By enabling sales teams and providing them with the appropriate resources to fully verify capability, capacity, and alignment, pentesting vendors can confidently approach their customers with solutions that will meet (and exceed) their needs. Sales teams should have a comprehensive understanding of a vendor’s offerings, differentiators, approach, and delivery motion so they can transfer that knowledge and confidence to their customers.
This is where expectation alignment begins, and it sets the stage for everything to follow. Now that we know why the customer needs a pentest and what they expect from it, we can move into the next stage: scoping.
Scoping Process
Perhaps the most critical aspect of overall quality is knowing what is in and out of scope. I have found that the majority of escalations occur as a result of a lack of communication and alignment between customer and delivery teams regarding what should be tested and what should be avoided. Arriving at what needs to be tested is an essential step in being able to deliver with high quality.
Through collaboration with customers, it is imperative that pentesting vendors are able to understand the size and complexity of each project to better estimate the level of effort needed to adequately test each component. Similarly, it is important to understand what isn’t in scope, what should be avoided, what areas of an environment are critical, and which areas pose a risk of downtime. If we do not align on this, there is a higher risk of disruption, which translates to low quality and customer escalations.
This alignment is a shared responsibility. As the consumer of a pentest, it is important that everything about the environment is shared. Just as important as sharing the motivator for the test, it is necessary to provide the pentest partner with the details about the environment, network, or application to ensure the vendor is well aware of any specifics that may affect the testing negatively. Customers should similarly seek out vendors who work to find the details and not just provide a general assessment of the environment in question. Being open about all of this is crucial to establishing trust. Trust is the cornerstone of a successful working relationship and by creating that trust both customer and vendor work more comfortably with each other and the return on investment is maximized.
The next installment in this series will continue to dissect how our industry defines quality in pentesting in the preparation stage of the pentesting life cycle and how to set your pentesting engagements up for success.
Stay tuned! Lots more to chat about on this topic.
Image attribution: Vecteezy.com