Scoping a Penetration Test

September 20th, 2023 Posted in Penetration Testing

What is meant by the scope of a penetration test?

Assuming you already have an understanding of what a penetration test is and when to get one, within the world of penetration testing services, scoping refers to deciding which of the networks, devices and applications of your company need to be tested. Before engaging a penetration testing service provider, several factors must be considered to ensure a successful project. These factors include the size and complexity of the network, applications, specific security objectives, security controls already in place and lastly, the type of testing to be performed, and any off-limits systems to be barred from the test. Regular reviews of the scope are necessary to ensure that the test aligns with the organisation’s security aims. 

You may be wondering how to scope a penetration test. Some organisations will know exactly what they require for their pen test scope, but if this is your first time enquiring about pen testing, then you may be unsure what level of detail you need to provide your chosen pen test partner for security testing.  

The aim of this blog is to help you understand how to prepare for penetration testing so your chosen penetration testers can successfully scope your test.  

Why is getting the scope of a test so important?

To ensure that your company gets the best bang for buck with the scope of work, you need to work closely with the penetration testing company. Testers are dealing with a multitude of computer systems and applications within a short time frame, so it can be hard to understand the context of the applications. Context is key. 

For example, something that a penetration tester may deem to be a critical vulnerability may in fact only be a “Low” in the context of your application. Working with your provider prior to testing, to flesh out these details within the pen testing scope form, could save you a retest and a failed audit. 

As penetration testing has the potential to become expensive if not scoped accurately, it makes sense to provide as much detail as possible. We emphasise the importance of gathering this information because, unlike pen testers, unfortunately for you, threat actors have the luxury of time and are extremely patient when it comes to finding valuable content and exploiting security vulnerabilities for maximum gains.  

So, how do we scope a pen test? Remember – context is key to getting the most value out of a test. These details can be communicated in the form of documentation, parameters, past vulnerabilities, business logic, areas that are of concern and so on. Without this information, a pen tester could end up dedicating hours solely to enumerating parameters, which is counterproductive. It also means diverting resources from the more meaningful task of exploiting vulnerabilities and providing a comprehensive site-wide test. 

Appropriately planning your penetration testing engagement ahead of time, will ensure that any deadlines you need to meet are realistic and can be achieved without difficulty. Not only that, but it will also give you enough time to remediate any issues, and get retested before any go-live dates, not to mention result in fewer setbacks throughout the testing process.

Engaging with a pen-testing consultant

We recently wrote a blog on how to choose a good penetration testing provider – here we took a deep dive into what to look for such as finding a pen test partner that you can build a long-term relationship with and one that will help you to identify your requirements if you are not completely sure of what types of pen testing you need.  

It comes down to transparency and reliability. Reach out to your chosen provider to express any concerns you have ahead of the initial kick-off call so you can go into the engagement on the same page and have no surprises.  

It is worth asking a few important questions, to establish that the supplier is the right fit, such as, what is your methodology for penetration tests? What tools and techniques do you use?

You should also learn what a good pen test report should include before asking to see a sample report and what happens after a test.  

It is important to keep in mind that the scope of a penetration test is not a one-time decision. Regular reviews of the scope are necessary to ensure that the test aligns with the organisation’s security aims. 

Getting your penetration testing quote

Most penetration testing companies quote penetration testing as a day rate. As such, it is important to get the scoping correct from the outset before testing, to ensure the quote you receive from your provider is accurate and there are no hidden costs sprung on you later in the process. A good pen test vendor will ensure their costs are fully transparent. 

Penetration testing costs vary from supplier to supplier, so, as with all supplier onboarding decisions, it is important you do your research and gain costs from several service providers before making a final decision. If you can have all the scoping information to hand when collecting quotes from pen test providers, then you can make an informed decision from accurate scoping.  

How much a pen test costs depends on several factors, which we discuss in more detail in our comprehensive guide to understanding penetration testing costs 

Here at Evalian, we make sure the days quoted always include the number of days required for the testing work and the number of days required to prepare your remediation report. 

Want a fast pen test quote?

What are the 3 types of penetration tests?

You need to determine how a test will be conducted. For organisations looking to conduct a penetration test, understanding the definitions of each, is essential to ensure you are meeting your objectives. There are three main options: 

  • Blackbox:The penetration tester is not provided with any details, nor has any information prior to, or during the test. 
  • Whitebox:The pen tester is provided with all the information required to understand your systems. They may also have information given during the test.  
  • Grey box:This is a mixture of the two previous methods. For example, external tests may be carried out as ‘Blackbox’, and internal tests may be executed as ‘Whitebox’. 

White box, black box and grey box testing approaches have their own merits and are suitable for different exercises. It is not a case that one method is better than the other. Instead, one methodology is better for a particular type of test.  To learn more about the differences between black, white and grey box penetration testing, read our blog on the topic.  

Scoping an API test

Providing a comprehensive API Pen test scope document is paramount in procuring an effective test. With the following information, a tester can hit the ground running and have a clear context of what the API is doing, enabling us to develop a strategy for testing it. Information such as: 

  • The API URL and/or endpoints – this is so the tester can do any passive investigative work for areas that may have been missed or overlooked in the scoping document. 
  • The API roles to be tested – this includes role matrixes that aid testers in determining which roles have the capability to execute actions and methods. Without proper context, it becomes challenging for testers to discern these role-based permissions, consequently increasing the complexity and time spent ascertaining this information when testing authentication issues. 
  • Providing as much information as possible. Things like technologies, frameworks, protocols, and any available swagger, JSON, or Postman documentation. 
  • Providing a clear distinction of whether the API is working with an application or if there is an API which is separate from an application (this is important because it can be the difference between a single or a multi-phase test) could potentially save costs. 

Scoping a web application pen test

Scoping a web application test can be challenging for a few reasons, as someone who has developed or worked with web applications for years it can be easy to forget that people who have never seen or used the application, have no context/background knowledge about the application or how it processes sensitive data.

A tester’s job is to learn the application inside and out to effectively test it. If it is your first time using a scoping document and you are wondering how to scope a pen test, our team can provide a penetration testing scope example. Get in touch using the form below.  

The following information is typically enough to provide a good estimate of the test, it is important to note that the more accurate the information is, the less chance there is of the provider to “overscope” an assessment, saving your budget in the process. 

  • All application URLs and IP addresses – this is so a tester can do a non-intrusive passive investigation to fill in any blanks that could have been missed.
  • Number of User Roles and Access Levels – Understanding the quantity of user roles and their associated access levels is critical, particularly because authorization testing tends to be the most time-consuming area. Alternatively, if authentication is not a requisite, a tester should also offer unauthenticated assessments, which involve a vulnerability assessment of an application for weaknesses that might allow unauthorised access or are well-suited in cases where an application does not support user logins.
  • Does the application have an integrated API? If yes, then the test provider will need to know if it works exclusively with the application, or if it has external actions that are not related to the application.
  • Technologies – the tester will need to know frameworks, protocols, and cloud/server technologies in use. Read more on cloud penetration testing here.
  • Testing Environment – It is crucial to specify whether the assessment will take place in a production or test environment. This distinction is vital because testing methodologies vary depending on the environment to ensure that it does not interfere with your daily business operations. We strongly advise the use of a test environment as it not only allows for a more thorough assessment but also eliminates the risk of any disruptions to your essential business services.
  • Application Complexity – you should give a brief overview of how complex the application is. Is it a single static page serving information (less time to test), or is it a multifaceted application with several inputs, functions, and pages (a lot longer to test)? At Evalian, we understand that sometimes a scoping document is not enough to convey the complexity of an application – for this reason, we recommend setting up a quick call to demo an application.
  • Application Whitelisting – arguably one of the most important aspects of any test is whitelisting. Layers of active protections have the potential to be bypassed by attackers, such as any exploitable vulnerability lying dormant behind these layers. Whitelisting allows for defence-in-depth analysis. Often it is prudent to allow the tester through certain security filters which may be in place, such as WAF (Web Application Firewall), and IDS/IPS which react to well-known patterns of malicious traffic. During the assessment, which is time-bound, if certain security filtering is applied, it can limit the coverage of the assessment and the review of the attack surface may not be fully tested if testing traffic is blocked. 

Mobile application test scoping

Testing mobile applications shares many similarities with testing web applications, but there are a few distinctions. Much of the information required for a mobile app test aligns with web app testing, such as understanding user roles and access levels. However, in the case of mobile apps, it is crucial to specify whether the testing pertains to iOS, Android, or both platforms.  

Additionally, knowing if the application is accessible via app stores or if it needs to be sent to the tester is helpful. This distinction ensures that the testing approach aligns seamlessly with the unique characteristics of the in-scope mobile applications.  

Furthermore, we advise using a pen test provider that has the CREST OVS Accreditation, to add a layer of extra trust and ensure you are getting the best service for your application testing.

Scoping an infrastructure pen test

When testing the infrastructure of a company, it is broken down into two parts: Internal and External infrastructure assessments. 

An external infrastructure test assesses the security of an organization’s external network from the perspective of an attacker trying to breach the permitter of a company, and gaining access to a company’s network. 

For external tests, a tester only needs the following information to provide an accurate scope: 

  • The in-scope ranges with the expected number of live external IP addresses to be tested OR
  • A list of all the IP addresses 

An internal penetration test is about evaluating the security of a company’s internal networks, systems, and devices. Think of it as a “what if” scenario where we are pretending there’s already been a security breach, and checking to see how well the company’s internal defences would hold up.  

For Internal tests, the requirements are similar: 

  • The in-scope ranges with the expected number of live internal IP addresses. 
  • A breakdown of the hosts – a brief overview of whether they are servers, switches, firewalls etc. 
  • If any whitelisting has been done 
  • The environment the test will be carried out within – Production, staging etc. and if there are any areas that are off-limits so as to not disrupt daily activities. 

Conclusion

Hopefully, you now have a good understanding of how important a pen testing scope is, for both your organisation as well as the penetration testing provider. It is obvious that unexpected costs at the end of testing, will not be a welcome surprise for your business, particularly in the current climate, therefore getting the scope as accurate as possible prior to testing is paramount.  

Similarly, a testing partner will be working within a tight timeframe and will welcome as much detail on your systems and applications upfront, to minimise the disruption of a test process and to ensure the assessment goes smoothly in order to provide the best service possible.  

Download your free Guide to Penetration Testing here for a more in-depth look at the service and what to expect.

How we can help

At Evalian, we work on a basis of full transparency with real-world solutions. We put emphasis on ensuring your scoping documents are clear and understood fully, prior to carrying out your penetration test. If you would like to understand more about our pen testing services or discuss security issues, please contact our friendly team, who will be happy to discuss your requirements, guide you in what you need to be tested, and provide you with a free quote.  

Image Designed by slidesgo / Freepik

Hugh Simpson

Written by Hugh Simpson