Three Things That Can Slow Down Your Penetration Test
Penetration tests often have tight deadlines in order to meet budget, compliance, and other regulatory goals. Any road bumps in the testing process can result in increased delays that can negatively impact the business and cause further delays to the discovery and remediation of risks. From our observations, there are three things that can cause unnecessary delays: bad or missing credentials, getting blocked by security devices (not being white listed), and poor communication.
Bad or Missing Credentials
Once a developer delivers credentials and a target IP or hostname, the security consultants should begin checking access to the testing environment immediately. Due to time constraints, access may be delayed until the start of the assessment, which can cut into testing time if any delays occur. Developers should ensure that all credentials are provided before the assessment begins and that the environment is provided and available to the testers.
Once testing is in its main phases, consultants will execute automated scans on the application. The high volume of traffic, security payloads, and automated nature of the scan can trigger security flags that automatically lock out or block accounts. This will halt testing until these accounts can be unlocked, which can take some time. For this reason, it is important for consultants to provide accurate IP addresses and have multiple means of accessing the network. The application team should ensure that they have collected all necessary information from the consultants and have informed all required parties on their team of current testing so that no security controls are inadvertently triggered. Ensuring a tester is properly white listed and has the correct network access before the assessment begins can save a lot of headaches midtest.
Changes during an assessment can impact the deadline if all parties are not aware of the changes. For example, if an application team modifies the environment halfway through an assessment, the testers should be informed as soon as possible to rerun any scans or tests that may have given outdated information. Likewise, testers should notify the application team immediately if an application server goes down.