If you’re considering a pentest, it’s important to plan and prepare for the assessment. Most new business owners have no real idea of where to start or how to do pentesting, but that’s easily fixed. Your pentester will normally help you work out the details, steps, and scope.
Pentests are carried out for a number of different reasons, to different levels of security, and by wildly varying firms. It’s critical that you establish needs, budget, and end-goals upfront. These 10 steps will walk you through how to do pentesting so you can get started on your cybersecurity.
Step 1: Why Pentest?
Why do you need a pentest? What’s in it for your organization? Identifying why will help you determine which types of penetration testing you need. Most businesses run pentests for 2 primary reasons:
- Security
- Compliance
The first can sound difficult to justify. After all, why pay now for something that’s only a risk? The thing is, it’s a big risk. In 2007, businesses were attacked in cyberspace every 39 seconds according to Michel Cukier of Maryland University. Since then, security firms like Accenture have reported increases in threats and breaches rising an average of 11% per year. If your business has a digital presence, cybersecurity is a must. Most organizations can conduct a risk assessment to determine what happens if you don’t pentest. Chances are, it will be a lot higher than a regular pentest to ensure you’re not vulnerable. A breach could result in losing funds, losing customers, and losing your business.
Compliance is another issue. Normally you need pentesting to meet compliance standards for online payments, healthcare, and other instances where your organization handles personal data. PentestHero delivers pentests to meet the specific needs of many different compliance standards.
Many companies need pentesting for both reasons. You can handle everything in one comprehensive test, or schedule regular pentest for security throughout the year, and context-specific pentest for compliance when needed.
Step 2: Set a Budget
Step one allows you to determine what you need. You still have to determine the level and depth to which you need to be secured. In most cases, you can set this by looking at your risk assessment and your compliance needs.
- Does your business handle personal data?
- What is your risk level?
- How many assets are affected if your organization is breached?
- What is the potential total cost of a loss? Best case scenario? Worst case?
Estimates for the average cost of a breach range from about $10,000 for small businesses to well over $3 million for “average” companies. IBM offers a free cost calculator you can use to review what a hack or breach might cost your organization.
If your organization is breached, you lose money, you lose customers, and you may lose your business.
Your pentest budget should include:
- The pentest
- Remediation by your team
- Retesting
- Ongoing security
What Affects Cost? – Pentests can range from a few thousand to tens of thousands of euros. In most cases, influential factors affecting cost include the volume and complexity of the pentest. Eventually, the price depends on how much time the pentest team has to spend rather than types of pentesting they might employ.
Step 3: Gathering Information
Gathering information is one of the most important penetration testing steps. Most pentest companies will help you with this stage. It involves mapping your web assets, determining what pentesting level you need.
- What are your web assets?
- How/where are they hosted?
- What third-party tooling/integrations do you have?
- What logins do you use?
- What kind of data is handled by your application?
You can normally create a simple map with your website in the middle and connecting assets around it:
- Website, hosted on GoDaddy (or on premise, in your own cloud with Azure, AWS, etc.)
- Database
- Customer Login
- Windows (Or Linux, etc.)
- Protective Measures such as Firewall & Web Application Firewall
Your pentester or ethical hacker should walk you through these questions to help you determine what should be tested and how. If you’re testing for compliance, the pentester will likely have to run a minimum of a specific set of checks.
You also have to consider access level. Access level defines whether the pentester can check for external vulnerabilities or fully review your code from the inside. Most compliance will require internal review. Black Box (external only), Grey Box (Internal/External), White Box (internal only).
Step 4: Intake
Intake is the first step of an actual pentest. Here, your pentest firm will introduce you to the company, will request information (as described above), and will eventually deliver a proposal and/or quote. While your pentester will offer advice based on your compliance needs and organization size, you can request access level, type of pentesting, and compliance specifications at this time.
You’ll also:
- Agree on time to start
- Define “safe” pentesting hours
- Set rules of engagement (E.g., can the pentester change data in the live environment)
- Set the testing environment
Your pentester will walk you through these steps to ensure everything is ready to start when you do. During this stage, PentestHero will onboard you to our cloud platform, where you’ll have access to your findings, the pentest report, and can manage your assets.
Step 5: Approvals
In most cases, you will have to acquire approval to pentest external applications and services. This means you will need approval from server hosts, third-party applications, etc. In some cases, like Azure, you do not need approvals. Your pentest company will ask you to sign a waiver. For some types of pentests, like white box and grey box, you’ll also have to hand over access to your application or platform.
You should have a list of phone numbers to call in case something goes wrong.
Step 6: Start
The pentest will start on a pre-approved date, typically during non-peak hours, or as agreed upon in your contract. In most cases, you will receive daily updates. You should also regularly check to ensure your web properties are still available. In most cases, responsiveness will drop during the assessment. If this occurs during peak hours, you can normally ask the pentester to pause testing.
PentestHero will deliver real time updates, so you always know when your pentest is finished.
Step 7: The Report
Most pentest firms will deliver a pentest report ranging from about 30-100+ pages. These PDF or paper reports contain everything reviewed in the pentest, findings, and notes from the ethical hacker when applicable.
PentestHero uses a different approach, because we believe these dense reports are difficult to use. Yit can take months before developers see data, simply because it’s difficult to access or create tickets from. Instead, we upload findings as tickets and alert stakeholders (like your developers) in real time. It’s critical that you be able to resolve findings, and quickly, to prevent a breach.
Step 8: Taking Action
You normally hand pentest findings over to development and security teams. They take action, working to resolve findings.
If you work with PentestHero , this process is collaborative. Developers can log into our portal, ask questions, view findings, and export findings directly to their own tooling. Once you’ve resolved the finding, you can change the status in the tooling, which will be reflected on your final report.
Step 9: Retesting
If you’ve resolved a vulnerability, it’s important to retest the issue to ensure it’s fixed. While not every vulnerability requires a retest (e.g., if you just have to update your software), many problems do.
PentestHero delivers retesting for free, to ensure your web properties are secure.
Step 10: Finish and update the report
Following the retest, you can generate a clean, finding-free report for compliance and audit needs. This ensures you never have to discuss whether a finding is fixed or not during the audit, so everything goes as smoothly and as quickly as possible.
Pentests are an important way to ensure your site is secure, for compliance and for your business. PentestHero will deliver collaborative testing to help you remediate issues, so you pass compliance audits and stay secure. Hopefully these 10 pentest steps help you better understand how to do a penetration test and what’s involved.
Want to start a pentest? Contact us now to get started.