A security test can provide your organzation with multiple benefits. For example, it will uncover if your security countermeasures actually resist external threats, and how well they respond in case of an attack. Computer attacks are a risk for all kinds of companies, no matter what size they have.
If you follow this checklist before conducting a security test, the process will be smooth and worry free:
1. Clearly Define Scope
Provide your security testing partner with information that clearly states the approved scope for testing. Double check that the list of IP addresses and URLs you provide are correct. Otherwise, there is a chance that your security testing partner might attack the wrong company or solution.
2. Make a Fresh Backup or Prepare a Test Environment
Security testing in a production environment should not be done before a fresh backup has been made. There could be vulnerabilities hiding in your system which could seriously affect it, if triggered during testing.
To avoid unnecessary risk, it is recommended to conduct security testing in a separated test environment. This is especially relevant when it comes to web applications. A test database in a production environment could also be a good alternative.
During web application security testing, your application will receive offensive traffic and a very high number of requests. This could potentially impact performance and trigger vulnerabilities that could result in unwanted side effects.
The testing techniques can of course be adapted to production environments, but be aware that the more restrictions you set, the less effective and efficient the testing will be.
3. Notify Affected Third Parties
Unless you want to test incident response capabilities, it is a good idea to notify any third parties that might be affected by the security test. This will avoid hasty actions from hosting providers that think they are under a real attack.
If you use hosting providers such as Microsoft Azure or Amazon Web Services (AWS), you are required to apply for permission before conducting any security testing.
4. Appoint a Technical Contact Person
A security test is usually conducted quite independent and requires little work from the customer. Sometimes questions arise or coordination is needed, so you should appoint a technical contact person who is available for the tester during the course of the engagement.
5. You Are All Set!
You can now lean back, relax and await the security test results.
Guide – Security Test: Scope & Frequency
We recommend that you read our guides for web application and network security testing, where you can find tips related to recommended testing frequency, scope and methodology.