Global Security Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only

  • 1.  What's the ideal scope for a first-time penetration test in a multi-cloud setup?

    Posted yesterday

    What's the ideal scope for a first-time penetration test in a multi-cloud setup?

    Hi all,

    We're planning our first full-scale penetration test across a multi-cloud environment that includes a mix of private and public workloads. We're trying to define the right scope-whether to test everything at once or phase it out based on criticality.

    A few questions for those who've been through this:

    • Should we start with external-facing apps only, or include internal networks from the beginning?

    • Are there recommended scope limits for first-time assessments?

    • How do you balance between surface-level testing vs. in-depth manual testing?

    We're considering reaching out to a penetration testing company in India with experience in handling complex infrastructure like this, but I'd love to hear how others scoped and structured their first few tests.

    Appreciate any insights or checklists you might have used!



    ------------------------------
    Naveen Kumar
    Cybersecurity
    StrongBox IT
    chennai
    ------------------------------


  • 2.  RE: What's the ideal scope for a first-time penetration test in a multi-cloud setup?

    Posted an hour ago

    Hi Naveen, 

    here are some thoughts... There is no "ideal scope for a first-time penetration test" in my view. You should to a Threat Modeling (TM) of your solution first: You and your team does best know about the solution you want to implement. Think like a hacker and find out how you would attack your solution: Do you have any internal and external UI's, any APIs, any scripts, any IAM, any logging and alerting,...? Based on the TM you will find out what potential "attack vectors" are and their related risk (assess probability of an attack and impact of it?). Now you want to minimize the risk... Prior to the Pen Test you may run vulnerability scans and fix ("security patch") found vulnerabilities. You may also do some security health checks, e.g. for verifying secure configurations. The aim is to reduce the risk being impacted by a hack...

    • Since attackers come from both external and internal,  the priority is dependent on the Threat analysis. I wouldn't exclude external or internal without looking deeper into it.
    • Scope discussions are always challenging: Too much scope takes longer time to perform and later on fixing time. Focus on the highest and moderate risk areas first. There is a price tag for Pen Testing as well, larger scope may result in higher expenses...
    •  During your Threat Modeling you will find out how deep Pen Testing of a component, API, UI, etc. is. Think about an internal hacker (employee), who is very skilled in the solution. Think also about external hackers, may be some kids playing around or some highly skilled state actors...

       Last comment: The external Pen Testing company will do what you define as scope and what you pay them! The solution is yours, you are the owner and responsible for the solution. Ask about the methods the Pen Testing company wants to use. You may want to exclude certain methods like DDoS attack of your solution, if it is not in a separated test environment...

    Pen Testing is not an one-time-task: You may want to re-run the PenTesting after fixing the findings from the initial one. During Pen Testing additional areas of concern may arise which you may have overlooked in your TM.

    Regards,

    Turgut Aslan



    ------------------------------
    Turgut Aslan
    ------------------------------

    Original Message


Related Content