Step By Step Planning Penetration Test – CompTIA Pentest There are three major factors that go into any project including a penetration test. They are time, cost, and quality. These three things are always in competition with each other. If you want it done faster, it’s going to cost you more money or your quality’s going to suffer. If you want it to be a really high quality, it may take a lot of cost and a lot of time. If you want something to be cheap, then it can’t also be fast and good.
These are all things that are going to compete with each other and so planning your assessment and understanding what the company is expecting and what you can provide is very, very important.
You have to first ask,who is your target audience for the penetration test? You need to know because this is going to allow you to properly plan your penetration test.
- What does the business do?
- Are they a small local retail store who needs a simple PCI DSS compliance penetration test?
Or are they a large multi-national bank with branches all over the world and they want you to test all 100,000 of them?
Again, this scope is going to be vastly different. And their mission is different. The operations they do is different. All of this is important. And so when you have somebody who contacts you to do a penetration test, you need to figure out, what is their objective? Are they trying to do it for compliance or are they trying to test a new software before it’s being released? Both of those are valid penetration tests but they’re taken in a different approach.
- Increased timeline for testing
- Increased scope
- Increased resources (people, tech, etc)
Resources And Requirements
When we look at resources and requirements, we have to ask our self, what resources is this assessment going to require? Again, do you need to be onsite or not? Do you need to have it from inside the company or outside the company? What requirements are going to have to be met during the testing?
- What resources will be assessment require?
- What requirements will be met in the testing?
- Confidentiality of findings
- Known vs unknown vulnerabilities
- Compliance-based assessment