Getting Started With Pentest

In this blog we will see a step-by-step guide of what goes behind a successful pentest. This not only includes the technical aspects but also the business and legal aspects of it.

If you’re tasked with the responsibility for getting your organisation's app or website's pentest done, this blog would definitely help you navigate the waters easily.

What is a Pentest ?

Pentest also known as Pentesting, a term used interchangeably with Vulnerability Assessment and Penetration Testing ( VAPT ).

A penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment.

- Wikipedia

So essentially it’s cracking into computer systems to which you’ve the permissions to do so. If you’re familiar with bug bounty, then you might ask, then what’s the difference between bug bounty and pentest ?

Bug Bounty vs Pentest

Bug Bounty is when organisations have put in a reward aka ‘bounty’ for finding bugs onto one of their systems aka ‘assets’, could be web application, application executable etc. In this case the organisations lay down a set of rules for anyone testing their assets and the corresponding payout ranges for the same. This usually runs for long period of time.

Why do we need a Pentest ?

1. Identify Vulnerabilities: Pentests help uncover weaknesses in your systems, applications, and networks that could be exploited by attackers.
2. Risk Mitigation: By identifying vulnerabilities early, you can proactively address them, reducing the risk of security breaches and their associated impacts.
3. Compliance Requirements: Many industries have regulatory requirements mandating regular security testing, including Pentests, to ensure data protection and compliance.
4. Protect customer's data: Pentests are also done to avoid risking customer's data to a breach. Pentests help identify security loopholes that can be identified by the attackers to leak sensitive customer data.
5. Protect Reputation: Detecting and fixing vulnerabilities before they are exploited helps maintain customer trust and protects your organization's reputation.
6. Continuous Improvement: Pentests provide valuable insights into your security posture, enabling you to continually improve your defenses and stay ahead of emerging threats.

Steps of a Pentest

From the discovery call to the final report submission post retest, there are multiple steps involved, that we take while doing a pentest. These steps ensure a good experience for our clients and increased faith in our testing methodologies. Lets see the steps involved in a pentest ―

1. Discovery Call
2. Complete Formalities
3. Technical Setup
4. Day 0
5. Daily Updates
6. Preliminary Report Submission
7. Retest
8. Final Report Submission

Deep Dive into the Pentest Process

Let’s elaborate a bit on each of these steps.

1. Discovery Call
   This is the first call that we have with the client. You can book this here.
   This call helps us do requirement gathering, what are the targets, scope, guidelines we should be aware of, assets that need to be tested more rigorously etc. We record all of this and more from the client in our VAPT Intake Questionnaire.

   

2. Complete Formalities
   Once the client submits the requirements, comes the part where you need to formalise the pentest and make it legally binding. To share any more information an Non Disclosure Agreement ( NDA ) is required. Either we share the NDA or the client shares across and we e-sign it. Post this we create a Statement of Work ( SoW ) and share a proposal which includes the SoW and quote for the work.

3. Technical Setup
   Once the legalities have completed, we move forward with the technical setup. This includes setting timelines, adding the Point of Contact ( PoC ) from the client to a pentest specific slack channel and getting our VPN IP whitelisted. The slack channel serves as a faster way of communication between the client and our team, which includes the pentesters and a dedicated pentest manager. We ask the client to whitelist our VPN IP so that they can easily filter out our traffic and we can be sure that we aren't getting ratelimited for our testing.

4. Day 0
   Now that everything is set up. We kick-off the pentest. We call this the Day 0.

5. Daily Updates
   We submit a daily summary of the pentest in our slack channel to keep the client in the loop. It's usually the summary of endpoints tested and for what kind of vulnerabilities. This also serves as a touchbase point for the client to know what we have already covered during our pentest.

   

6. Preliminary Report Submission
   On the pentest due date, we submit a preliminary report and setup a discussion call to go over all the findings. The report has all the findings, steps to reproduce and proof-of-concepts attached to it. If the client has asked us for nuclei templates, we provide them during this phase. This helps them to self test their fixes before finally asking us to retest it.

7. Retest
   Once the client has fixed the findings, we do a retest. We check the working steps and then also try to find bypasses to the client's fixes. This usually takes 1-2 days. If there are any bypasses, we inform the client of the same and ask them to fix those. Once, those are fixed we retest the bypasses. Once all the findings have been fixed, we gear up for the final report submission.

8. Final Report Submission
   The final report is a password protected PDF, that contains the updated status of the findings. Alongwith this we offer our clients a 'Certificate of Attestaion', mentioning the pentest summary and date.

Considerations to bear in mind when undergoing a pentest for your organization

1. Know your Pentesters - This should be done in the Discovery Call . Have a chat with them and talk with them about their methodology and their expertise in testing applications from different types of industries such as fintech, edtech etc.
2. Inform Internally - Before starting the pentest, make sure to keep the infra team and the backend team in the loop. This helps in avoiding unnecessary surprises and promotes smooth and timely testing.
3. The Point of Contact - Should be someone who's more security initiated, ideally a security engineer.
4. Staging Environment - Pentesting should be done on a close replica of your prod environment and not on the prod environment. Many times companies dont have parity between staging and production environment, hence they conduct vapt on prod. This should be avoided.
5. Identifying Testing Traffic - Ask the agency to add a unique header in all the requests they're sending to your machines. This helps in avoiding unnecessary alert fatigue, as those testing payloads might trigger a lot of internal systems and alarms.
6. What's Left Out - Not only ask for what's tested for but also make sure to get updated with whatever is left out and why.
7. Video Proof of Concept - Prefer video proof of concepts for easy replication.
8. Preliminary Report Submission - Post the preliminary report submission, make sure to apprise the DevOps and backend team.

Important things in a Pentest

1. Setting Clear Expectations
   Make sure to properly document your expectations in the SoW.

2. Clear and Prompt Communication
   Keep your client updated of your work. They shouldn’t feel that you aren’t working on the pentest.

   • Apprise them of any critical findings, ASAP.
   • Let them know, if you’ll be load testing their systems.

3. Accountability
   We maintain this by submitting a daily report of endpoints tested and test cases on our slack channel.
   In the end of the pentest, we also submit the full log of our BURP endpoints tested and coverage to ensure accountability and transparency.

4. Timeliness
   Make sure to give the deliverables on time. There could be exploits that would be taking much time to exploit, in cases where there's a delay inform the client accordingly.