A successful penetration test requires good preparation with an airtight service-level contract between the customer and a supplier that helps both to achieve the ultimate goal: security.
Listed in this post are some important items to include in the contract. These are by no means a full and comprehensive list but should serve to help you understand the breadth and depth associated with a good security penetration test and the importance of a close relationship with your supplier to ensure clarification of your business requirements.
The test objective
The agreement between the supplier and customer should firstly include the security testing goals and ultimate objective. If the objective is not clearly stated then you may receive a list of vulnerabilities that have little or no correlation to risk. In addition, the supplier should provide a definitive statement in the testing deliverable regarding the outcome of the testing objective.
The test scope
Initially, the customer must identify the testing scope by including what needs to be tested and what must be eliminated from the scope. This way the client can ensure that they are technically ready for any accidental downtime and that all services out of scope are not touched. An arrangement should also be made about whether or not should defensive layers such as network or application firewalls should be disabled for suppliers IP addresses list. This can also help to determine the required amount of time to complete the test.
The tester’s qualifications
To assure the quality of the assessment, the customer should ensure that vendor is going to allocate competent resources with both knowledge and certifications such as CEH, OSCP and CREST. These certifications test the methodology and technical capabilities of the assessor. Competent testers can assure that all reported vulnerabilities are valid and proven. Also, qualified analysts with good penetration testing experience can be more gentle with customer’s systems and not cause any downtime to any of the services.
The methodology and tools
Some testing tools could be malicious. Hence, the customer must be sure which testing tools are to be used during the penetration test. The danger of some of the free open-source tools is that they can include malicious functions that might be sending scan results to some malicious third party, or even provide full access to them! This can be much more harmful.
During the penetration test, some critical findings could be found on the system. Therefore, the supplier must communicate these findings to the customer as fast as possible so they can be fixed to avoid being exploited.
The test report
The supplier should provide an extensive report that highlights all security flaws and misconfigurations that affect confidentiality, integrity, and availability. These issues must be well described and supported by a proof of concept (PoC). The report should confirm the existence of any vulnerability and should be accompanied by recommendations that will help developers or system administrators to remediate the finding. PoC must show the steps that can be followed to reproduce the discovered flaw in order for the customer to fix and recheck the issue; confirming the effectiveness of the applied fix.
A good penetration test report must include an executive summary section that briefly describes the discovered vulnerabilities in a high-level language, which can easily be understood by a non-technical person. This section of the report is essential for top management to enable them in making key decisions on what should be improved to ensure a higher security level.
In summary, the service level contract is a key point to ensure that customer’s requirements are clearly delivered to the supplier and that supplier is willing to respect what is agreed upon. It should include all customer’s expectations about how the service should be carried out and how long it should take. It would also include how results are to be delivered maintaining quality.