Ten Practical Tips For High-Value Pentest Engagements
Many organizations see penetration testing as an annual, obligatory exercise to check the compliance box and move on. As a result, these companies rarely get interesting or severe vulnerabilities from their pentests. However, by applying best practices from other practitioners and enlisting an effective pentesting partner, you can drastically increase the odds of getting interesting and impactful results from your pentests to go beyond basic compliance requirements to improve security posture and build resistance to attacks.
Spencer Chin is the Head of Solutions Engineering for the Americas at HackerOne, and Jasmin Landry is a Senior Director at Nasdaq and a HackerOne penetration tester. Together, they have helped hundreds of organizations, such as Grammarly, Zebra, and Jedox, scope and execute penetration tests so they get the best results possible. These tips are based on real-world experience and are structured to help your organization execute a successful pentest engagement from start to finish.
Before the Pentest
1. Make Backups and Test Them.
In some cases, pentests are performed on production environments. When this is the case, ensure your organization has backups of all its data and verify the backups are working by testing a restore before the pentest begins. It’s best to prepare for data restoration, as accidents can and will happen during pentests.
2. Have an Incident Response Plan Set and Ready to Execute.
Sometimes, pentesters find vulnerabilities that can either cause an incident (which is rare) or find evidence a malicious actor has already exploited a vulnerability in the past.
If this happens, you may need to start your incident response (IR) plan. Thoroughly test your IR plan, and ensure every team member knows their roles and responsibilities. For example, if pentesters discover a vulnerability was exploited and used to exfiltrate Personally Identifiable Information (PII), your IR plan must be ready to initiate immediately.
3. Make It Graybox
Deciding whether your pentest should be black box, white box, or gray box depends on your goals. A black box test provides very limited or no information about the assets being tested; a white box test provides full information about the assets being tested, including, but not limited to, source code and credentials; and a gray box test is somewhere in the middle.
Organizations typically use a black box assessment to simulate what a remote adversary could discover about them and how they could leverage that intelligence to perform a cyberattack. Many customers decide to go with a black box approach because they feel that this will best simulate an actual adversary with limited knowledge of your organization. However, this discounts the fact that adversaries generally have much more time to devote to their attack than a pentester. Pentesters are limited to a couple of weeks of testing, while adversaries have unlimited time.
Gray box penetration testing bridges this time gap by providing relevant information to testers so they can focus on finding vulnerabilities. If your goal is to identify vulnerabilities on your assets in the most efficient way possible (and therefore the most cost-effective), then a gray box approach will be most effective.
Provide your pentest team with the following information and access in a gray box test:
- Multiple user roles with varying levels of access. Providing multiple user roles enables testers to verify that authorization controls are working as intended and generally gives them access to test more of the asset.
- Information on the technology stack. Different technologies are more susceptible to certain types of vulnerabilities.
- Where the application is hosted. Attack methods change depending on whether the application is in the cloud or on-premises.
- Add the pentest team to your firewall (or WAF) allow list. Avoid the pentest team getting rate-limited or blocked and focus their time testing the application.
HackerOne has an in-platform pentest scoping form to facilitate the collection of this key information and which assets should be tested. The scoping form makes it easy to securely share details with the pentest team so that they can make the most of the time allotted.
4. Have an Up-to-Date Inventory of Your Assets and Asset Owners
A pentest may include a wildcard domain, an IP range, or even all the assets owned by a company. Find out the owner of all assets in scope. Fix any critical vulnerabilities as soon as possible. Assign and share organizational contact information so testers can ask questions as needed.
The HackerOne Asset Inventory provides a centralized location to manage all your assets and the associated application security testing at scale. Visit this page to learn more about our attack surface management solution.
5. Loop in Your Dev Team
When planning an engagement, alert your development team to the fact that you’re running a pentest. In most cases, vulnerability remediation will fall on your development team, and no one likes unexpected, high-priority work showing up on their doorstep.
HackerOne Pentest has a variety of integrations with Software Development Life Cycle (SDLC) tools such as JIRA, ServiceNow, Github, and Gitlab to streamline your remediation efforts. These integrations allow you to push vulnerability reports from HackerOne into the native tools your developers use so they don’t have to alter their workflows.
The full list of integrations for the HackerOne platform can be found here.
6. Prepare the Environment With a Checklist
Once you have considered all the points above, the last step is to prepare the testing environment to kick off the pentest smoothly and on time. A quick checklist:
- Confirm the environment is accessible.
- For mobile applications, ensure the testers understand how they get the application (Are you providing an APK/IPA file, using Google Play Console/TestFlight, etc.).
- If you need to add the pentest team to the allow list for your firewalls or other systems, confirm those changes are applied and functional.
- Provide all required credentials for testers and test the credentials to ensure they are functional.
After the Pentest
If you have followed the steps above to prepare your pentest properly, you should have impactful results to help improve your security posture.
7. Debrief With Your Security Team
Review the vulnerability reports and use them as a tool to improve your remediation efforts and fine-tune your detection capabilities for future attacks.
A pentest is a fantastic opportunity to understand your assets' vulnerabilities and how effective your defense, detection, and response efforts were. Find out:
- Were any alerts triggered?
- Did the incident response kick off properly?
- Or were you left completely in the dark?
All HackerOne Pentests set up a shared Slack channel for you and your pentest team. Communicate in real-time with your pentest team — ask and answer questions about the test, get updates as the test progresses, and ultimately get the most value from your pentest. One way to take advantage of this is to communicate with the testers while they are performing the pentest so that you can see what their testing activity looks like in your network logs and traffic. This will help confirm that you are able to identify and detect attacks correctly in the future.
8. Use Findings to Tune Your Scanning Tools
Ideally, your company is using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to catch known vulnerabilities in the development phase of the lifecycle before a new release is deployed. Based on your pentest findings and what SAST and DAST scanners missed, you may need to add or update rules in these tools. This also applies to tools that scan your Infrastructure as Code (IaC). Often, a pentest will catch vulnerabilities resulting from a misconfiguration, and you’ll want to adjust your rules to catch these accordingly.
On the detection front, you will also want to review the rules in your Security Information Event Management (SIEM) tool to ensure your Security Operations Center (SOC) can identify malicious traffic missed during the pentest.
9. Empower Your Developers
Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Empowering your developers to code securely and avoid introducing vulnerabilities is a much better approach than trying to catch issues in production.
Utilize vulnerability findings as a learning tool for secure coding training. These are real-world vulnerabilities found on your assets, not hypothetical scenarios that may not be relevant to your organization.
HackerOne offers an integration with Security Journey, a secure coding training platform that enables your organization to automatically use the vulnerabilities found in your bug bounty programs to build dynamic training plans for your developers. More information is available here.
10. Ensure Vulnerabilities Are Properly Remediated
Once your developers have remediated the vulnerability and tested the fix internally, it’s also helpful to get external validation confirming the fix was successful. All HackerOne pentests allow the same pentest team to retest vulnerabilities for up to 60 days to ensure vulnerabilities are no longer exploitable. Retesting can also be done after the 60-day period for a nominal fee of $50 per retest.
HackerOne - A Pentesting Partner
These tips and tricks will help you get the most value from your organization’s upcoming pentest engagements. Learn more about the advantages of running pentest engagements with HackerOne.
The views and opinions expressed herein are the views and opinions of the authors and do not necessarily reflect those of Nasdaq, Inc