In the previous article, we discussed the basics of pen testing, and focused on the activities you carry out during a pen pest. This time we’re going to look at the whole process. In fact, we’re going to focus on a strategy that can dramatically increase your probability of success and make the whole endeavor more enjoyable. I’m not going to let you in on any huge secrets – I’m just going to explain how treating pen testing like a project makes sense.
The Project Management Institute (PMI), the “world’s leading not-for-profit professional membership association for the project, program, and portfolio management profession,” has a lot to say about projects. Since 1969, PMI has maintained a central repository of project management knowledge, called the Project Management Body of Knowledge (PMBOK). The PMBOK provides invaluable guidance on how to manage projects of any size. PMI also administers the world’s most popular project management certification, the Project Management Professional (PMP).
So that’s the PMI pedigree. How does that apply to pen testing? PMI defines a project as:
… a temporary endeavor undertaken to create a unique product, service, or result.
You can, (and should), use the PMBOK to help manage pen testing activities. You don’t have to use the whole thing, and you don’t have to hold the PMP certification to use the great advice in the PMBOK. What you will get is an approach to pen testing that is repeatable, reliable, and can be refined over time to increase your quality. When using good project management practices, you’ll be able to keep your pen testing activities on track, and know early on if things start to depart from what you expect. It keeps you from constantly running into the unknowns that result in budget overruns and late deliveries.
So, to answer the original question, a pen testing endeavor is a project. Let’s look at how we can treat it as such.
Get TestRail FREE for 30 days!
Don’t Projects Make Everything Slower?
An organized pen testing project is one in which the tester doesn’t start out just running test. You have to start at the beginning. In fact, the more time that you spend up front, the better quality your results will be – and you’ll have an easier time repeating the process next time. And, in most cases, you’ll actually spend less time on the project since you won’t have as much re-work. Let’s take a high-level look at PMI’s view of how you should organize any project.
You can group project activities into five separate phases:
- Initiating – This is where you develop the Project Charter, which contains a high-level statement of what your project will accomplish, along with the project sponsor’s written authorization to conduct the work.
- Planning – In this phase you clearly define the scope of work, and then create a budget, schedule, and resource requirements. Here is where you can start avoiding overruns by putting it all out there in your plans. For pen testing, you’ll select the targets for your tests and the actual tests you’ll run in this phase.
- Executing – Simply put, you follow your plans from the previous phase.
- Performance and Monitoring – As you carry out your project activities, you have to keep an eye out to identify any issues early. Identifying issues early can dramatically reduce the effort needed to fix those issues. For instance, if a test that was supposed to take 45 minutes is taking nearly two hours so far, you’ll know that something is wrong. It is far better to intervene now than wait until perhaps production operations are affected.
- Closing – Many project managers either abbreviate or completely skip this part. But this phase can be one of the most important. In closing, you tie up all the loose ends and take the time to document what went well and what didn’t – all while it is fresh. This information gives you the ability to continually make your next project run more smoothly.
Why Should I Waste Time Making Plans?
Taking the time to plan before you act has many benefits. Perhaps the most important one is that you cut down on surprises. If you follow the PMI recommendations, you’ll lay out the whole project for the sponsor, (you know, the person who signs the checks), to formally approve the actions you propose. Right there you can avoid misunderstandings by putting things in writing.
Another thing you MUST get up front is written permission to conduct pen testing activities. Such written authorization, (from the owner of affected systems, networks, and devices), is often called the “get out of jail free” card. If your tests cause any damage or trigger malicious activity actions, you really want to have this piece of paper with you.
Planning helps you think about all the things you have to do, sequence those activities, and ensure that you have everything and everyone you need to carry out the plan. And, it allows you to say “No.” One of the nice things about having your sponsor officially approve your project scope statement, which is part of the planning phase, is that you can use that to resist adding “more tests” to the project.
Sometimes you really do need to expand the scope of a project. That’s OK. You just have to amend the scope statement, assess the impact (i.e. will it cost more or take longer), and have the sponsor approve the new scope. Without sponsor approval, you can say “No.” Many poorly managed projects have failed because the scope grew uncontrolled. We call this “scope creep.” Plan well and stick with your plan. You’ll be able to approach your testing more efficiently.
The Pen Testing Project Checklist
So, here is a simple checklist that will get you started toward managing pen testing like a project. (For more detailed information, visit PMI’s web site and look up the PMBOK.)
- Develop a Project Charter (high-level description of what the project will do.) You should incorporate all lessons learned from previous projects here.
- Get the sponsor to sign the Project Charter and all testing authorization forms.
- Create a Project Schedule, Project Budget, and Project Resources Requirements Documents.
- Get the sponsor to accept and sign each of these.
- Execute the planned activities, according to the Project Schedule.
- Monitor all activities, making changes as necessary to project documents (of course, always with the sponsor’s approval.)
- Create results report and presentations, along with “Lessons Learned” documentation.
- Deliver reports and presentations.
That’s a very simple list of pen testing project steps, but it will get you started. If you plan and manage your pen testing activities like a formal project, you will be able to provide more consistent results and avoid many unexpected surprises.
Article by Michael Solomon. Michael Solomon PhD CISSP PMP CISM is Professor of Information Systems Security and Information Technology at University of the Cumberlands and Director of the Ph.D. Information Technology Program.
Test Automation – Anywhere, Anytime