• tl;dr sec
  • Posts
  • How you should scope your assessment

How you should scope your assessment

Author

Rami McCarthy
June 12, 2023

How you should scope your assessment

Scope management is the process of defining what work is required, and then making sure that all of that work, and only that work, is done. 11

Check out a deep dive from Mark Curphey circa 2007: The Art of Scoping Application Security Reviews

Accurate scoping is key to a successful assessment. If the scope places the wrong focus, then risks will not be identified. If an assessment is scoped too narrowly, there will be insufficient coverage of the targeted risks. If it is scoped too broadly, then either depth of coverage will suffer or excessive costs will be introduced.

Strike a balance between performing a comprehensive set of tests and evaluating functionality and features that present the greatest risk
GSA IT Security Procedural Guide: Conducting Penetration Test Exercises

It is important to identify the limitations of your resources - time, budget, or internal expertise and ability to support assessment efforts. The scope must be grounded in your organization’s risk, informed by your threat model and asset classification schemas.

In order to minimize the cost of penetration testing, one essential thing that must be done is to reduce the amount of labor time associated with each test. In order for penetration testing to be truly useful to software developers, testing scenarios and test cases need to involve a great deal of in-depth knowledge of the application undergoing the testing. This means that more, not less, human time and energy needs to go into testing.
CISA - Adapting Penetration Testing for Software Development Purposes

Define your budget before beginning the scoping process, especially in organizations with significant processes around approvals. The cost range of “a security assessment” is practically unbounded, which means that overall budget and desired scope will be the salient factors defining the vendors you can afford. When considering possible elements of the scope, take into account the trade-offs of cutting down the scope versus selecting a vendor with a cheaper rate.

Bear in mind Parkinson’s law - “work expands so as to fill the time available for its completion”

How to pick your target

There is no rule for targeting an assessment. Take advantage of your familiarity with your environment, you know your assets best! Targeting is nuanced, based on a variety of factors, including:

  • Your motivations for the assessment

  • Your desired balance of breadth and depth

  • Your risk assessment, threat model, and data classification (you have these, right?)

  • Your measurement goals, such as controls testing or detection capability assessment

For your first assessment with a new vendor, consider limiting the scope to a cost-efficient trial run.

Assessor requirements

Every requirement you specify limits your pool of vendors. This will in most cases increase your costs. The major justifications for a constrain tend to be technological limitations or regulatory obligation. Carefully consider requirements, weighing the benefits. Some common, significant requirements I’ve seen include:

  • The assessment must be performed onsite

  • Clearance, certification, or citizenship requirements

  • The vendor must follow specific methodologies (e.g a specific tool, set of test cases, host)

Additional follow-on requirements

Remediation assistance is a common follow-on requirement. However, that can significantly limit the available vendors. It can force you into using a global firm, MSSP, or VAR. Know that any competent vendor’s report should be usable by an internal team or existing MSP. High-pressure sales tactics pushing remediation are generally FUD.