General Scoping Thoughts

TLDR:

1. Identify every component the project is responsible for building and maintaining

2. Get administrative access (and ideally full network access)

3. Test all the things

4. Testing types:

black-box -> not good, only with management approval

normal user -> acceptable, but not ideal

normal + admin users -> preferred, but we can fall back to option 2 if not feasible

1. Credentials

We ONLY offer white-box testing, full admin access based reviews. The only exception being to things such as external inf scanning etc, as most "grey box" work is taken care of by the VM team. Black box should only be used where a lead specifically agrees it is the right course of action for the engagement.

The reasoning for this admin-first approach is as follows:

We adhere to the "defense in depth" philosophy, and White box testing provides a more complete picture of the system/services security posture.

It offers a significant time-saving over black and greybox testing, of which many activities such as brute forcing are prohibited anyway

Many projects will prefer black box because:

It is less effort for them to get testing arranged

The reports will have less issues

These issues will typically be lower severity

This is work, not a CTF :)

If the project cannot provide access, the scoping is halted until access can be confirmed. Without exceptional reason, agreed by a team lead, we do not progress with projects that are not providing us access.

1. Access

For each methodology, we require full access to the application and/or system, admin and (usually) user credentials and as much coverage of the solution as possible. I.e. for a web application, is it hosted on a VM? If that VM is managed by the project, it needs to be in scope for a server build review. If it is hosted in a cloud, we need to look at a cloud configuration review of the project owned functionality.

If a project cannot provide access to something they are responsible for, this need to be highlighted as a caveat and the exec summary needs to call this out as making the assessment incomplete.

1. Methodologies

The methodologies we offer to projects are in the table below.

The scope of any engagement should be made up of these building blocks + estimated day count PER ITEM, and this breakdown should be saved in the demand portal / orderbook files.