The Essential Starting Point for Scoping in Penetration Testing

By Daniel Teo
Edited by Jerry Tan (Div0-N0H4TS)

Introduction

Hello everybody! My name is Daniel, and I am currently a security consultant at SEC Consult Singapore. My job is to conduct security assessments and help improve the security posture of our company’s clients. In this article, I would like to share the consulting aspect of my role, specifically focusing on scoping.

Scoping 101

Scoping is a process that will allow the security consultant to understand the scope of the security assessment and calculate an optimum effort for the security assessment. This will ensure that the client will get a comprehensive security assessment without breaking their annual cybersecurity budget.

In short, scoping is a process that involves understanding the optimum efforts required for a security assessment.

Within scoping, there are two main factors to take note of:

1. Optimum effort (time) required for the security assessment
2. Client’s cybersecurity budget

In the most ideal scenario for a security consultant, they would have all the time in the world to conduct the security assessment. However, this is not an optimum scenario for the client, as it would significantly increase their operational cost.

Scoping is an important process, the security consultant will need to ensure that the security assessment can be comprehensive and the effort required will not exceed the client’s budget. Therefore, it is essential for a security consultant to be proficient in conducting scoping.

To determine the optimum effort for a security assessment is not easy and here are a few general factors to consider:

1. Familiarity with the system (e.g., framework, operating system, etc.)
2. Competency of individual security consultant (The person scoping the work may not be the one performing the security assessment)
3. Security measures implemented on the system (e.g., end to end encryption, root/jailbreak detection, etc.)

Hacks for scoping

To ensure that the efforts are well-optimised for the work, I have compiled a list of common questions that I usually pose to the client during a scoping call.

Network Vulnerability Assessment (NVA)

• Number of IP addresses within the assessment
• Is there any firewall? (If yes, will they be disabled during the scan?)
• Any special requirements? (E.g, Different LAN port for different network segments or testing laptop’s IP address needs to be change for different network segments)
• Conducted during or after-office hours? (Pricing may vary for an after-office hour assessment)

Web Application

• What is the backend framework? (Spring boot, PHP, NodeJS, Django)
• What is the Penetration Testing Approach? (Blackbox, Whitebox, Greybox)
• Number of dynamic URL(s)
• Number of function(s)
• Number of user role(s)
• Are there any special security mechanism? (For instance, end to end encryption)
• Is there any Web Application Firewall? (If yes, will they be disabled during the security assessment?)

Mobile Application

• What operating system does the application runs on? (iOS, Android, HarmonyOS)
• What is the Penetration Testing Approach? (Blackbox, Whitebox, Greybox)
• Are there any security mechanisms enabled? (For instance, Root/Jailbreak detection or SSL pinning. If these mechanisms are enabled, would the client be able to provide an insecure build by disabling them?)
• Questions on the mobile API testing (Please refer to the web application’s common questions)

Examples of the scoping process

Assuming that I have gathering all essential information required for the scope, it is time to come up with the number of efforts required for the security assessment. I have come out with the following examples with the detail breakdown of the efforts:

NVA Example

The scope for the network vulnerability assessment includes the following:

• 10 IP addresses
• No special requirements
• The firewall exists but will be disabled during the assessment
• Assessment to be conducted during office hours

Breakdown

Mobile Application Example

The scope for the mobile application security assessment includes the following:

• Conduct security assessment for the mobile application on both iOS and Android operating system
• Security mechanisms will not be disabled (Root/Jailbreak detection and SSL pinning)
• 50 forms within the mobile application are included in the security assessment
• 25 API endpoints (The mobile application on Android and iOS are using the same API endpoints)
• 2 User roles
• End to End Encryption is implemented on most API endpoints
• The web application firewall exists but will be disabled during the assessment

Breakdown

Conclusion

During the scoping process, I personally feel that there are no strict rules or guidelines that you must follow, as each scoping is tailored to the customer’s specific requirements. One important aspect to remember as a security consultant is to ensure that all the systems within the scope are assessed according to industry standards. Therefore, if you find that you need more time, do not hesitate to communicate this to your manager and work together to find a suitable solution.

Hopefully, this article has helped you learn more about scoping and enjoy the experience of being a security consultant (if you are one 😉).