Spencer Chin is the Head of Options Engineering for the Americas at HackerOne, and Jasmin Landry is a Senior Director at Nasdaq and a HackerOne penetration tester. Collectively, they’ve helped lots of of organizations, reminiscent of Grammarly, Zebraand Jedoxscope and execute penetration exams so that they get one of the best outcomes potential. The following tips are based mostly on real-world expertise and are structured to assist your group execute a profitable pentest engagement from begin to end.
Earlier than the Pentest
1. Make Backups and Take a look at Them.
In some instances, pentests are carried out on manufacturing environments. When that is the case, guarantee your group has backups of all its information and confirm the backups are working by testing a restore earlier than the pentest begins. It’s greatest to organize for information restoration, as accidents can and can occur throughout pentests.
2. Have an Incident Response Plan Set and Able to Execute.
Generally, pentesters discover vulnerabilities that may both trigger an incident (which is uncommon) or discover proof a malicious actor has already exploited a vulnerability prior to now.
If this occurs, it’s possible you’ll want to start out your incident response (IR) plan. Completely take a look at your IR plan, and guarantee each crew member is aware of their roles and duties. For instance, if pentesters uncover a vulnerability was exploited and used to exfiltrate Personally Identifiable Data (PII), your IR plan have to be able to provoke instantly.
3. Make It Graybox
Deciding whether or not your pentest ought to be black field, white field, or grey field depends upon your targets. A black field take a look at supplies very restricted or no details about the property being examined; a white field take a look at supplies full details about the property being examined, together with, however not restricted to, supply code and credentials; and a grey field take a look at is someplace within the center.
Organizations sometimes use a black field evaluation to simulate what a distant adversary may uncover about them and the way they might leverage that intelligence to carry out a cyberattack. Many purchasers resolve to go along with a black field method as a result of they really feel that this can greatest simulate an precise adversary with restricted data of your group. Nevertheless, this reductions the truth that adversaries typically have rather more time to commit to their assault than a pentester. Pentesters are restricted to a few weeks of testing, whereas adversaries have limitless time.
Grey field penetration testing bridges this time hole by offering related data to testers to allow them to give attention to discovering vulnerabilities. In case your purpose is to determine vulnerabilities in your property in probably the most environment friendly means potential (and subsequently probably the most cost-effective), then a grey field method might be simplest.
Present your pentest crew with the next data and entry in a grey field take a look at:
- A number of person roles with various ranges of entry. Offering a number of person roles allows testers to confirm that authorization controls are working as meant and customarily provides them entry to check extra of the asset.
- Data on the expertise stack. Completely different applied sciences are extra inclined to sure sorts of vulnerabilities.
- The place the applying is hosted. Assault strategies change relying on whether or not the applying is within the cloud or on-premises.
- Add the pentest crew to your firewall (or WAF) permit record. Keep away from the pentest crew getting rate-limited or blocked and focus their time testing the applying.
HackerOne has an in-platform pentest scoping kind to facilitate the gathering of this key data and which property ought to be examined. The scoping kind makes it simple to securely share particulars with the pentest crew in order that they will take advantage of the time allotted.
4. Have an Up-to-Date Stock of Your Property and Asset Homeowners
A pentest could embody a wildcard area, an IP vary, and even all of the property owned by an organization. Discover out the proprietor of all property in scope. Repair any vital vulnerabilities as quickly as potential. Assign and share organizational contact data so testers can ask questions as wanted.
The HackerOne Asset Stock supplies a centralized location to handle all of your property and the related software safety testing at scale. Learn more about our attack surface management solution.
5. Loop in Your Dev Staff
When planning an engagement, alert your growth crew to the truth that you’re working a pentest. Usually, vulnerability remediation will fall in your growth crew, and nobody likes sudden, high-priority work displaying up on their doorstep.
HackerOne Pentest has a wide range of integrations with Software program Growth Life Cycle (SDLC) instruments reminiscent of JIRA, ServiceNow, Github, and Gitlab to streamline your remediation efforts. These integrations can help you push vulnerability experiences from HackerOne into the native instruments your builders use so that they don’t have to change their workflows.
6. Put together the Setting With a Guidelines
After getting thought-about all of the factors above, the final step is to organize the testing surroundings to kick off the pentest easily and on time. A fast guidelines:
- Affirm the surroundings is accessible.
- For cell purposes, make sure the testers perceive how they get the applying (Are you offering an APK/IPA file, utilizing Google Play Console/TestFlight, and so forth.).
- If it is advisable to add the pentest crew to the permit record on your firewalls or different techniques, verify these modifications are utilized and practical.
- Present all required credentials for testers and take a look at the credentials to make sure they’re practical.
After the Pentest
If in case you have adopted the steps above to organize your pentest correctly, you need to have impactful outcomes to assist enhance your safety posture.
7. Debrief With Your Safety Staff
Assessment the vulnerability experiences and use them as a instrument to enhance your remediation efforts and fine-tune your detection capabilities for future assaults.
A pentest is a improbable alternative to grasp your property’ vulnerabilities and the way efficient your protection, detection, and response efforts have been. Discover out:
- Had been any alerts triggered?
- Did the incident response kick off correctly?
- Or have been you left fully at midnight?
All HackerOne Pentests arrange a shared Slack channel for you and your pentest crew. Talk in real-time along with your pentest crew — ask and reply questions concerning the take a look at, get updates because the take a look at progresses, and finally get probably the most worth out of your pentest. One technique to benefit from that is to speak with the testers whereas they’re performing the pentest to be able to see what their testing exercise seems like in your community logs and site visitors. This may assist verify that you’ll be able to determine and detect assaults accurately sooner or later.
8. Use Findings to Tune Your Scanning Instruments
Ideally, your organization is utilizing Static Software Safety Testing (SAST) and Dynamic Software Safety Testing (DAST) instruments to catch recognized vulnerabilities within the growth part of the lifecycle earlier than a brand new launch is deployed. Primarily based in your pentest findings and what SAST and DAST scanners missed, it’s possible you’ll want so as to add or replace guidelines in these instruments. This additionally applies to instruments that scan your Infrastructure as Code (IaC). Usually, a pentest will catch vulnerabilities ensuing from a misconfiguration, and also you’ll wish to modify your guidelines to catch these accordingly.
On the detection entrance, additionally, you will wish to evaluation the principles in your Safety Data Occasion Administration (SIEM) instrument to make sure your Safety Operations Heart (SOC) can determine malicious site visitors missed throughout the pentest.
9. Empower Your Builders
Benjamin Franklin mentioned, “An ounce of prevention is worth a pound of cure.” Empowering your builders to code securely and keep away from introducing vulnerabilities is a significantly better method than making an attempt to catch points in manufacturing.
Make the most of vulnerability findings as a studying instrument for safe coding coaching. These are real-world vulnerabilities discovered in your property, not hypothetical situations that is probably not related to your group.
HackerOne gives an integration with Safety Journey, a secure coding training platform that allows your group to mechanically use the vulnerabilities present in your bug bounty applications to construct dynamic coaching plans on your builders.
10. Guarantee Vulnerabilities Are Correctly Remediated
As soon as your builders have remediated the vulnerability and examined the repair internally, it’s additionally useful to get exterior validation confirming the repair was profitable. All HackerOne pentests permit the identical pentest crew to retest vulnerabilities for as much as 60 days to make sure vulnerabilities are not exploitable. Retesting can be accomplished after the 60-day interval for a nominal charge of $50 per retest.
HackerOne: A Pentesting Accomplice
The following tips and methods will assist you get probably the most worth out of your group’s upcoming pentest engagements. Be taught extra about some great benefits of running pentest engagements with HackerOne.
The views and opinions expressed herein are the views and opinions of the authors and don’t essentially mirror these of Nasdaq, Inc.
Author: Spencer Chin
Date: 2023-04-13 12:00:00