Do you have a penetration test coming up? You might have a lot of questions on preparing for your assessment. You might even wonder “Should I whitelist my penetration testers?”. This article will shed some light on Lucid Security’s take on this question.
Addressing Concerns
Lucid Security strongly believes in providing transparency in all of our testing efforts when conducting an assessment. Because of that, Lucid Security tries to address any questions or concerns during a kick-off call. The kick-off call is the perfect time to address whitelisting the testers IP addresses. For the purpose of this article, let’s assume the scenario is you will be having an external penetration test. That is, emulating what an attacker can do from anywhere on the Internet. You likely have some protections in place, whether it’s a web application firewall (WAF) or an intrusion prevention/detection system (IPS/IDS). So you may wonder why you would want to whitelist the penetration testers IP addresses if it’s supposed to be a realistic emulation of an attacker.
Reasons to Whitelist Testers IP Addresses
It is perfectly reasonable to want to actively test your defenses. In fact, this is something Lucid Security encourages. At request, Lucid Security will test whatever defenses you have in place, but recommends whitelisting the penetration testers IP addresses after about a day. We believe that it is important to find ALL vulnerabilities by providing a holistic approach to our assessments. By whitelisting the penetration testers IP addresses, the team will be able to find any underlying vulnerabilities. As it proven that attackers can bypass WAFs under certain circumstances, it is important to find address all security issues. Lastly, most web application firewalls are under constant security scrutiny as they are used by wide array of users worldwide.
Lucid Security’s Recommendation
At Lucid Security, we recommend having a discussion during the scoping call or kickoff call to determine what your goals are. In most cases, a happy medium can be found by testing defenses early in the assessment, and then switching to a completely whitelisted approach. In other cases, you may be completely confident in your defense capabilities and want to start off the bat with whitelisting the penetration testers IP addresses and make the most of your testing window looking “under the hood” for all vulnerabilities.
Lucid Security Can Help
Whatever approach you prefer, Lucid Security is happy to work with you and figure out the best solution for your organization. Feel free to reach out today and let us know how can help by contacting us.
