Scope creep is a problem that affects nearly any project with goals – from writing to development to auditing. It’s also extremely common in pentesting, especially in teams where pentests are one-off or where pentests are not conducted at high frequency. Pentesting scope creep usually means that you haven’t set or defined goals well enough at the start of the pentest, leading to the problem where new assets or goals are added onto the pentest and the goal of the pentest continues to change over the course of the pentest.
Here, scope creep can lead to frustration for both pentesters and organizations, as it means pentesting timelines are delayed, the original deliverables might never be delivered, and costs can go significantly out of the bounds of the original project budget. These 5 best practices to manage scope creep in pentesting are useful for both client and pentester organizations or for internal team use.
1. Understanding End-Goals for the Pentest
It’s crucial that the team requesting a pentest understand what they want out of the test. That means creating clearly defined goals around what the end-result or value of the pentest will be. For example, that could look like:
- Meet compliance needs for DORA
- Assess vulnerabilities in a new feature before it goes live
- Perform routine application-wide pentesting to assess for vulnerabilities
- Test for a new vulnerability to offer assurance to stakeholders
Once the goal is there, the team behind the pentest request can build a list of assets that need to be tested to meet that goal. Depending on the goal, this pentest might range from one or two assets to thousands of IPs. The important thing is that you know what you need upfront.
What’s the ROI for the pentest?
2. Set Clear Pentest Goals Upfront
Every pentest should have a written Scope of Work defining which activities should be completed, how much time should be spent on them, using which methodology, and by which people. This pre-engagement activity is important, but it can be difficult especially if clients are unaware of which targets they need tested. If clients aren’t aware of assets or don’t know what they need tested, pentesters usually step in to set up an initial consultation session in which you work with the team to define the scope of the pentest.
That means:
- Assets that are to be targets
- Time constraints and budgets (e.g., per asset)
- Methodology/testing needed
- Depth of pentest (are you exploiting vulnerabilities where possible or simply logging them without further investigation)
Using a pentest platform and PentestHero means you can record the scope in the platform itself. That means uploading assets into the pentest platform and adding them to the pentest project, so that everything is signed off on upfront. If you have to add new assets, they must be incorporated as a second step.
3. Communicate Frequently
Ongoing communication is a crucial part of keeping everyone involved up to date on what’s happening, when, and where. A pentest management platform is key here, because it means clients and pentesters can communicate and collaborate on the pentest as it happens. That means the client or requesting team sees timelines, process, and pentest stage. They can also communicate directly with pentesters, making it easier to figure out if the pentest is on target, if the scope covers everything it should, and that the pentest is going according to plan.
4. Assess and Prioritize Change Requests as They Happen
It’s normal to find new things to pentest, new vulnerabilities and to have change requests occur during the pentest. Here, you should have a process in place to ensure those changes are reviewed and prioritized accordingly. In most cases, your new changes should be prioritized immediately by the pentest team and the request team. This is also true for scope changes made by the pentest team. E.g., pentesters can theoretically hack into anything given enough time, if they are close to breaching something, they may make the request themselves. From there you can choose to:
- Roll the scope change into the current pentest. This is ideal for small scope adjustments that won’t affect time or for any scope adjustments which impact the end-goal (e.g., compliance) of the full pentest
- Immediately schedule a new pentest with the new scope requests in scope for that assessment. Then, the current pentest still wraps up on time with no impact to timelines or budget but the new priority is still pentested as part of a secondary effort.
With a pentest management platform, you integrate this process directly into the pentest process. For example, you can automatically schedule a new pentest as part of the last one, so that items not brought into the current pentest scope are still covered.
5. Document Changes and Adjust the Work Order Accordingly
It’s important to document and track changes as they are made. This also means that if changes to scope are made, you need a new proposal and a new signature. Getting sign-off is also important under some regulations, like the Computer Fraud and Abuse Act in the United States, which means pentesters cannot test outside of written scope. Having that sign-off in place means everything is written down and agreed to upfront. Plus, with integrated quotes, you can immediately send a proposal and get signoff before starting work. That means any changes to scope are automatically documented and you can immediately send changes to price or get signoff for a follow-up pentest on a new asset.
Scope creep negatively affects both pentest and client teams. Getting it under control means setting guidelines upfront and sticking to them. And, when you inevitably find new things to pentest, being able to prioritize those to either pentest later or to adjust the current scope should be part of the process.
Are you ready to learn more about how a pentest platform helps with preventing scope creep? Contact us for a demo!