Penetration Testing Scoping

Penetration Testing Scoping
Contact information
Organization
POC Name
Position
Phone Number
Please enter a valid phone number.
Email
example@example.com
Address

Street Address

Street Address Line 2

CityState / Province

Postal / Zip Code

Overview
Penetration testing will never be an exact science where a complete list of all possible issues that should be tested can be defined. Our methodology aligns with the OWASP Testing Framework Part One (http://www.owasp.org) and Risk Management Guide for Information Technology Systems, NIST 800-30 1 which describes vulnerabilities in operational, technical and management categories. External Network/Infrastructure, Web, Application, and API penetration testing are essential for all compliance frameworks (ISO 27001, SOC 2, PCI DSS, NIST, HITRUST, etc.). Our services and reporting options not only help you meet your compliance requirements and satisfy your auditing team but also enhance your security posture, benefiting your organization and clients. However, the goal is to find the right balance to provide a level of testing matching a realistic threat without wasting time and resources. There are two (2) main factors we consider: 1. Optimum effort (time) required for the security assessment and 2. Client’s cybersecurity budget. The following four (4) sections will help develop the Scope of the Penetration Test. (https://mccoe.org/penetration-testing).

I. What are your organizational goals and Objectives for the penetration test?
Note: Goals of a penetration test are different for each engagement, “we focus to fulfill the obligations of compliance for such and such standards “or “we need to increase our Cybersecurity Hygiene".
II. What is the scope of this engagement?
a. What are the primary business applications utilized by your organization?
(Email, Calendar, SaleForce, Etc.)

b. Network Vulnerability Assessment (NVA)
1. Number of IP addresses within the assessment
2. IP Ranges in Scope
3. IP Ranges Excluded from Scope
4. Domain Names in Scope
5. Domain Names Excluded from Scope
6. Number of Networks / VLANs in scope
7. How many total live systems are in scope (i.e. active IP addresses)?
Servers?OS? PC/Laptops?OS?MobileDevices? OS?
8. Are there any firewalls? Name brand? (If yes, will they be disabled during the scan?)
9. Any special requirements?
(I.E., Different LAN port for different network segments or testing laptop’s IP address needs to be change for different network segments)
10. Would you like testing conducted during or after-office hours?
(Pricing may vary for an after-office hour assessment)
11. Are there domains or IP’s explicitly excluded?

c. Web Application
1. How many total web application interfaces are in scope?1
2. What is the backend framework?
(Spring boot, PHP,NodeJS, Django)
3. What is the Penetration Testing Approach?

Black-Box testing - a type of software testing in which the functionality of the software is not known - also called Functional testingWhite-Box testing - or Glass-Box testing is at esting technique that tests the software by using the knowledge of internal data structures, physical logic flow, and architecture at the level of source code. This testing works by looking at testing from the developer’s point of view.Gray-Box Testing - a combination of the Black-Box Testing technique and the White-Box Testing technique in software testing. The gray-box testing involves inputs and outputs of a program for the testing purpose but test design is tested by using the information about the code.
4. Number of Dynamic URL's
5. How Many Functions?
6. How many User Roles?
7. Is there any special security mechanisms? (For instance, end-to-end encryption)
8. Are there any Web Application Firewalls? (If yes, will they be disabled during the security assessment?)
9. Will authenticated testing be required for web applications or only external/unauthenticated testing? If authenticated testing is required, about how many dynamic pages exist in the application (pages that ingest user input through an input field, drop down, etc.)?
If only unauthenticated testing is required, this can be covered in our External Penetration Test
10. How many unique API endpoints exist in the application?
11. How many user levels will be tested?
(e.g., administrator, privileged user, customer user)

d. Mobile Application
1. What operating system does the application runs on?
(iOS, Android, HarmonyOS)
2. What is the Penetration Testing Approach?
(Blackbox, Whitebox, Greybox)
3. Are there any security mechanisms enabled? If these mechanisms are enabled, would the client be able to provide an insecure build by disabling them?
(For instance, Root/Jailbreak detectionor SSL pinning.

e. Social Engineering
What are your Social Engineering Penetration Testing Requirements?

f. Operational Technology (OT)
What are your OT Penetration Testing Requirements?

g. Additional Coordination Information:
1. Does the client own all the target environments in scope? If not, has permission been granted by the owning parties?
2. Will testing be performed in a production or non-production environment?
3. Microsoft Azure Penetration Testing Rules of Engagement?
4. Amazon Penetration Testing Rules of Engagement?
5. Google Cloud Platform Rules of Engagement?
6. Oracle Cloud Rules of Engagement?
7. Are there any MSPs, MSSPs, or other third parties who need to be made aware of the testing? Do we need to coordinate with them?
8. Do you have a Secure Site for uploads and reports? Use MCCoE?

III. Time Scheduling

Note: Characterized in terms of overall time limitations, of how many day/weeks/months the engagement will last, as well as time schedules.
1. Requested Period of Engagement:

(4–8 Weeks)
Beginning Date

MonthDayYear
NLT Ending Date

MonthDayYear
2. Are there any days and/or times that work best for In-Progress Report Meetings (IPRMs)?

IV. What are the emergency Lines of communication?
Primary Person of Contact

First NameLast Name
Position
Phone Number
Please enter a valid phone number.
Email
example@example.com
Secondary Person of Contact

First NameLast Name
Position
Phone Number
Please enter a valid phone number.
Email
example@example.com
Should be Empty:

Penetration Testing Scoping

Contact information

Overview

I. What are your organizational goals and Objectives for the penetration test?

II. What is the scope of this engagement?

b. Network Vulnerability Assessment (NVA)

c. Web Application

d. Mobile Application

e. Social Engineering

f. Operational Technology (OT)

g. Additional Coordination Information:

III. Time Scheduling

1. Requested Period of Engagement:

IV. What are the emergency Lines of communication?