How To Kick Off Application Security Testing – The Right Way

To increase your chances of success and keep yourself out of trouble during a pentest, hosting a kickoff meeting prior to the start of testing is essential. In this post, I’ll go into some of the elements of a successful kickoff meeting and provide you with a checklist of questions to cover during the meeting.

It is a fairly standard practice in the project management world to host a kickoff meeting prior to beginning the project. The same is true for a pentesting engagement. As a tester, you may think that once you have a URL and credentials, you can start testing. This approach almost always leads to problems. A pentest has a lot of moving parts and there a number of things could go wrong during the project. The kickoff meeting is your chance to make sure everyone involved with the engagement is on the same page and has the same expectations and objectives for the project.

At a minimum, the kickoff meeting allows individuals associated with the engagement to introduce themselves. Knowing members of the team can be very helpful if you want to pick up the phone and ask a question, if the site goes down and you need help, or to tailor the final report to a particular audience.

This is also an important time for covering and confirming the basic project management and contractual questions for the engagement such as the start and end dates, roles and responsibilities, deliverables, rules of engagement, and risks. If you are lucky enough to have a project manager attend the meeting with you, they’ll make sure to cover many of these topics, allowing you to focus on pentest specific questions.

The kickoff meeting can be used for scoping and an application walkthrough. See a previous article on how to scope an application. Basically this is the process of going over the what, when, where, why, and how of pentesting to make sure there are no misunderstandings once the TCP packets start flying. An application walkthrough at this point is invaluable and will give the tester additional insight into the application, how it works, and a headstart on mapping the attack surface. Scoping and application walkthrough are so important that they may require a separate meeting to have enough time to do it correctly.

The kickoff meeting is also a good opportunity to talk about your methodology as a tester. The client may have a completely different view than you of how a pentest should be conducted and what should be tested. Walk through your methodology at a high level and the client will be able to ask questions and be assuaged of any concerns.

Also use this meeting to check in on the readiness to start testing. Make sure you have everything you need to conduct testing including URLs, credentials, POCs, etc. Confirm with the client that the environment is ready, IP addresses are whitelisted, and any third party approvals are gathered.

At the end of the kickoff meeting, you should make sure that everyone’s questions and concerns have been addressed and that everyone is comfortable with the test going forward. You’ll hopefully have a green light to begin testing at the end of the meeting and have the confidence that there won’t be any suprises or problems that can’t be easily resolved based on the groundwork you laid in the kickoff meeting.

Below I have included a core set of questions to consider asking during the kickoff meeting.

Good luck in kicking your next test off  the right way!

  • What is the name of the application?
  • What is the URL?
  • Describe the business reason for the application.
  • Describe the functionality of the application.
  • Who are the users of the application?
  • How many roles does the application provide (admin, user, etc)?
  • Which of these roles are in scope for testing? At a minimum, 2 accounts with different privileges should be used.
  • Are there any complicated workflows? Will the tester be able to complete all workflows?
  • Does everything in the application work as expected in the test environment? Are there any functions that the tester won’t be able to test?
  • What environment will be used for testing?
  • If production is to be used, are precautions in place? (i.e., backing up data)
  • Is the application hosted by a third party and are any additional approvals or notifications needed?
  • What is the deadline for testing? For reporting?
  • Are there any specific attack scenarios you are worried about?
  • Are there any compliance requirements for the testing such as PCI?
  • Have you performed testing on the app/network prior to this engagement? If so, can the previous report be provided?
  • Do any third parties need to be notified of the testing? (e.g., SOC members)
  • Is there an emergency contact in case of problems?
  • Will anyone else be using the testing environment? Will they be impacted by performance hits or data changes?
  • Are any external security measures in place such as intrusion detection or application firewalls that may block testing?
  • What application security measures have you put in place within the application?
  • Are there any restrictions on testing? (Certain times, types of testing, components or functions not to test)
  • Are there any admin or configuration panels that if changed, would negatively impact the environment?
  • Is IP address whitelisting needed?
  • Will credentials be provided?
  • Is a VPN needed for access?
  • When can testing start? What is the expected end date?
  • Can you provide a walkthrough of the application?
  • Is there any other information we should know?