The Scope
Do you really need to test every single URL and subdomain, or is there a more focused set that the testers can target? A smaller test scope allows deeper analysis of each component.
Tests can be broken down into smaller, more periodic schedules. This means the testing is very focused on one component at a time and gives an easier load for the internal team to remediate.
The timing
Business hours testing is recommended only when the application can handle an increased load. Often testing can slow down components, such as the backend databases, so this should be considered as well.
Don’t test right before a maintenance window or new release, always test once changes have stabilized.
The right environment
Dev/QA/Staging environments are ideal for pen testing when they accurately mirror production environments. If you have high availability setups, a production test would be better.
Hackers target the prod environment, so it is important to test that as directly as possible.
APIs?
If you have APIs, testing them with and without authentication will yield the best results. It is also important to have documentation ready for the APIs so the testers can go deep into each call and endpoint.
Blackbox testing is great for real-world simulations, but won’t find as many vulnerabilities as white-box.
User accounts
An often overlooked part of the web app pen test is providing testers with fake accounts. By doing so, they can test permissions, cross-account security, and privilege escalation ability. This really helps to understand what may happen if a real user gets compromised.
The code
Most compromises of cloud applications are due to hard coded keys in code repositories that are unknowingly made public. The testers should have it in scope to do reconnaissance on exposed code artifacts.
Choosing the testers
Does your pen testing vendor allow you to choose testers?
If so, look to get ones that have experience in the languages of your application and the industry that it is for. This allows the testers to go beyond the technology basics and focus on business logic and interactions that may be able to be exploited.
Here at CYBRI we allow you to pick your testers based on their experience level and industry of expertise.