Preparing Your Test Environment

Preparing Your Test Environment

The target pentest environment should mirror production as closely as possible and accurately represent its normal operating conditions to a typical user or customer.

This includes:

• Fully enabled/configured/licensed features for the most common use cases or workflows.

• All known differences in the test environment (this should be highlighted during the kickoff call)

• If the system has known integrations with other external systems, this may require access or testing equivalents of those to ensure any risks posed by the integration points and any associated data flows into the system can be adequately tested.

• If a web application firewall (WAF), intrusion prevention system (IPS), or other security appliance is in use, it is recommended that they either be disabled, or the IPs of the testers whitelisted (Software Secured’s IPs are included in the pentest checklist).

This will ensure the best possible coverage of the test. If you wish to test the effectiveness of these controls, please ask us about other test offerings such as red teaming and Secure Cloud Review.

The test environment will need to be available consistently throughout the test dates, and until final report delivery, to support the report writing, evidence collection, and our quality assurance process. Once the report is delivered, the environment can be de-provisioned if needed. Alternatively, packages with frequent pentesting operations, such as Penetration Testing as a Service (PTaaS) will keep the system test environment live to facilitate faster retesting and consultation requests.

Testing on Staging versus Production

For all network pentests, Software Secured will test on production. Application pentests usually include a network or infrastructure portion conducted on production. However, for the application/software portion of the test, Software Secured highly recommends testing on a staging or a test environment. Pentesting the application in a production environment is possible; however, pentesting by design is an invasive process and can sometimes result in outages or data deletion. When focusing solely on the network this is less of a concern. When testing on production is required, it is recommended backups are taken before the start of testing and at regular intervals throughout to ensure business continuity if any outages occur.

More information on the advantages and disadvantages of testing on production can be found here.