Appsec Kickoff Calls

Kickoff Call

Every application penetration test you perform should be accompanied with a kickoff call to understand the scope, timeframe, and objective of the test. Here are the typical questions I ask during these calls. The goal of your kickoff call should be to understand the application in as much detail as possible. Ideally, we would want a developer to be on the call for the technical questions.

General

  • At a high level, what does this application do? Who are the typical business users/consumers of the application?
  • What is the sensitivity of the data the application handles? (PCI, PHI/PII, GLBA, SSN's etc.)
  • Is there any attack scenarios you as a customer are worried about? Any sensitive functionality that should be analyzed in depth?

Environment

  • Is there a WAF protecting the application? Will our attack boxes need whitelisting?
  • What environment are we testing in? Is the infrastructure owned by the company or will we need approval?
  • Are administrators notified of errors/logs via email? (To avoid spamming your PoC's)
  • Are we allowed to test 24/7? Timezone restrictions?

Technical Questions

  • What language(s) is the application written in?
  • What front end technologies are in use? (React/Vue/Angular etc)
  • What is the backend database? Are you using Cloud Service Provided Databases?
  • What is the authentication mechanism? Is there any 2FA? Account lockout rules?
  • Are there any data-flow-diagrams, network or application architecture diagrams available?
  • Roughly how many dynamic pages are there/How many lines of code?
  • Are there multiple user roles in the application? Do you have a user role/permissions chart available?
  • Is there an API associated with the application? Do we have access to documentation/swagger/wsdl specs?
  • If not a black-box pentest, do we have access to the source code? If not.... can we have it?