Gathering client requirements

This step provides a generic guideline that can be drawn in the form of a questionnaire to devise all the information about the target infrastructure from a client. A client can be any subject who is legally and commercially bound to the target organization. Thus, for the success of the penetration testing project, it is critical to identify all internal and external stakeholders at an early stage of a project and analyze their levels of interest, expectations, importance, and influence. A strategy can then be developed to approach each stakeholder with their requirements and involvement in the penetration testing project, in order to maximize positive influences and mitigate potential negative impacts.

Note

It is solely the duty of the penetration tester to verify the identity of the contracting party before taking any further steps.

The basic purpose of gathering client requirements is to open a true and authentic channel by which the pentester can obtain any information that may be necessary for the testing process. Once the test requirements have been identified, the client should validate them in order to remove any misleading information. This will ensure that the future test plan is consistent and complete.

Creating the customer requirements form

We have listed some of the commonly asked questions and considerations that may be used as a basis to create a conventional customer requirements form. It is important to note that this list can be extended or shortened according to the goal of a client:

• Collect basic information such as company name, address, website, contact person(s) details, e-mail address, and telephone number(s).
• Determine the key objectives behind the penetration testing project.
• Determine the penetration test type (with or without specific criteria):
  • Black box testing
  • White box testing
  • External testing
  • Internal testing
  • Social engineering included
  • Social engineering excluded
  • Investigate employee background information
  • Adopt employee's fake identity (legal counsel may be required)
  • Denial of service included
  • Denial of service excluded
  • Penetrate business partner systems
• How many servers, workstations, and network devices need to be tested?
• Which operating system technologies are supported by your infrastructure?
• Which network devices need to be tested? Firewalls, routers, switches, load balancers, IDS, IPS, or any other appliances?
• Are disaster recovery plans in place? If yes, whom should we contact?
• Are there any administrators currently managing your network?
• Is there any specific requirement to comply with industry standards? If yes, list them.
• Who will be the point of contact for this project?
  • What is the timeline allocated for this project?
  • What is your budget for this project?
  • List any miscellaneous requirements, if necessary.

The deliverables assessment form

The following is an example of the type of items expected from a deliverables assessment form. This list is not holistic and items should be added or removed based on customer expectations and needs:

• What types of reports are expected?
  • Executive reports
  • Technical assessment reports
  • Developer reports
• In which format do you prefer the report to be delivered? PDF, HTML, or DOC?
• How should the report be submitted? Encrypted e-mail or printed?
• Who is responsible for receiving these reports?
  • Employee
  • Shareholder
  • Stakeholder
  • Third-Party Assessor
  • Government Regulators

By using such a concise and comprehensive inquiry form, you can easily extract the customer requirements and fulfill the test plan accordingly.