Kickoff Call
Every application penetration test you perform should be accompanied with a kickoff call to understand the scope, timeframe, and objective of the test. Here are the typical questions I ask during these calls. The goal of your kickoff call should be to understand the application in as much detail as possible. Ideally, we would want a developer to be on the call for the technical questions.
General
- At a high level, what does this application do? Who are the typical business users/consumers of the application?
- What is the sensitivity of the data the application handles? (PCI, PHI/PII, GLBA, SSN's etc.)
- Is there any attack scenarios you as a customer are worried about? Any sensitive functionality that should be analyzed in depth?
Environment
- Is there a WAF protecting the application? Will our attack boxes need whitelisting?
- What environment are we testing in? Is the infrastructure owned by the company or will we need approval?
- Are administrators notified of errors/logs via email? (To avoid spamming your PoC's)
- Are we allowed to test 24/7? Timezone restrictions?
Technical Questions
- What language(s) is the application written in?
- What front end technologies are in use? (React/Vue/Angular etc)
- What is the backend database? Are you using Cloud Service Provided Databases?
- What is the authentication mechanism? Is there any 2FA? Account lockout rules?
- Are there any data-flow-diagrams, network or application architecture diagrams available?
- Roughly how many dynamic pages are there/How many lines of code?
- Are there multiple user roles in the application? Do you have a user role/permissions chart available?
- Is there an API associated with the application? Do we have access to documentation/swagger/wsdl specs?
- If not a black-box pentest, do we have access to the source code? If not.... can we have it?