Search for pentest phases and you’ll come up with five standard phases typically described as follows:
These are the usual and accepted phases that most methodologies and approaches use to guide the activities of a pentest engagement. When defined and followed, these steps provide everyone involved with a roadmap for how the test will go and give the client a reasonable basis for understanding how the tester arrived at their findings and conclusions. But do these phases really map out all the critical activities involved in testing or does this list come up a bit short?
In this new Cup O’ Joe series, we’ll discuss what I believe are the ten key phases of a penetration test, talk about the serious pain points in each, and demonstrate how PlexTrac can eliminate these problems.
My goal is to have all parts of the pentest, and all the people in the engagement, working as one inside the PlexTrac platform and in order to do that, I think it’s critical to identify all the phases including, in my opinion, the most important phase — the project management phase.
Our engagement starts at the close of the sale. The NDA, MSA, and Statement of Work are all products of the sale process and should be given to the project management or operations team to start setting up the framework for the project. Setup, or Phase One, of the engagement can make or break the success of the project.
I have been blessed to have a career accompanied by some of the best project managers you could ever wish for. Some have held the coveted PMP, others have just built their experience through trial and error, but all of them had exceptional organization and communication skills. Each had their own system, sometimes gantt charts in MS Project, others used post-it notes Kanban style. If a project went south, it was usually because I ignored something they had prepared for me.
But, as I look back on my career, I wonder how they could have been better with PlexTrac. Every project begins with setting expectations. What are we doing?, Who is in charge?, Where are we testing?, What is the deliverable?, When is it due?, and so forth. During the setup process, there is a lot of information flying back and forth, and the project manager has to work with everyone to chase down the right information and get it into the right hands. It could be mesmerizing to watch my PMs juggle all the pieces, ingest the information, and create the documentation to support a smooth test.
With the PlexTrac platform we have the opportunity to centralize this information. Even more exciting, our clients can use the platform for documenting the points of contact, the scope, the rules of engagement — any information that might previously have been delivered with spreadsheets can now be uploaded using the Assessments module and templates created for the individual needs of the engagement. No more complicated mechanisms for secure data upload, no more password protected zip files, or unintelligible PGP commands. The data is added within a secure HTTPS client portal, which can be co-branded for an extra-professional process.
Our PMs are freed from having to organize and email job sheets and other engagement documents. It’s all in the portal for our testers and operators to use, in a format they can also have a hand in defining.
Defining and focusing on this first phase is my initial contribution to this series, with the complete list of phases to eventually include the following:
I will share my experience building practices and include the feedback from colleagues and customers on how to make each phase stronger and how to leverage Plextrac to really up your game.