My name is Kevin Bourne and I’m the Customer Success Manager at Cobalt. Over the past six months, I’ve kicked off +150 pentests, company sizes ranging from Fortune 100 companies to a small startup teams. Regardless of your company’s size, a successful pentest kick off is key. The kick off sets the tone and stage for the upcoming weeks of testing.
Different pentest providers can handle a kick off however they choose fit, but usually this is done through a call. To kick off a Cobalt pentest it normally involves a half hour phone call with a member of the Security Team and, ideally, a Product Team member of the customer. Product owners typically understand the target best, so having them involved in the pentest really helps, especially if the target is complex and requires a walkthrough for effective testing (the majority of our pentests are gray box).
Although this process doesn’t have too many moving parts, if done poorly, it can lead to delays in testing and/or not meeting the objectives of the pentest.
Here are a few tips that can help you properly kick a pentest off:
1. Align Teams + Individuals
In the preparation stage, it’s important to align your teams that will be involved in the pentesting process. In the kick off stage, it’s important to make sure that you have a member or members from your team that understand the objectives of the pentest and targets (assuming it’s a gray box pentest). The kick off call first sets the stage of the testing, and acts as the vocal confirmation that everyone is ready to go and in agreeance. Things that should be done to help align:
Ensure that everyone knows the start and end dates
Confirm test credentials are available or have clear instructions for pentesters on how to create users
Align on what type of testing the researchers will be performing as certain tools and methods can impact your environments, especially if testing is done in production
Provide necessary documentation (ex. if it’s an API that’s being tested, it’s always a good idea to provide documentation if possible so that the researchers can understand how the API works and effectively test its functionality).
2. Enter the kick off with an open mind + positive attitude
It’s important to enter a kick off with a positive attitude and an open mind. Often times, there can be disconnect amongst teams: security, product, and engineering
The third party pentesters are here to help make your environment more secure, not bash your code or give you more work. If you’re secure, your users are secure, and that gives you assurance and can help keep you out of the headlines in a negative way.
Similarly, the third party pen testers should also be open and listen to the product owners and especially understand their risk picture. For example, some vulnerabilities might be critical if you look at it from a pure technical perspective, but the business impact might be minimal making the technical likelihood less critical.
By being open and positive, you can align on expectations up front and get a better test with valuable results.
3. Come prepared
For the most part, you and the involved teams should be ready if you prepared properly for the test in what we like to call the preparation step of the pen test process. Though it really can’t be reiterated enough. The more prepared you are in the beginning steps of the pen test process, the better the pen testing should be.
Make sure everyone is not only knowledgeable about the environments that they are testing, but also identify obstacles that could enable security researchers to effectively test your targets (e.g. user account creation, cloud provider authorization, setting up test environments, testing payment workflows, IP whitelisting, etc.)
4. Establish a communication channel for additional questions
When the kickoff call is done, it’s still important to have an open channel for communication and collaboration. At Cobalt, we typically set up a private Slack channel for each engagement and also have a communication channel built into the Cobalt Platform for comments on specific findings. We use these channels to help facilitate conversation before, during, and after the pen test.
When people are aligned on the details, prepared with a positive attitude, and have a communication system that works it leads to a better pen test with more coverage and better results. Hope these tips helped, and good luck!