Penetration testing is a focused discipline. Organizations do not want to incur unnecessary risk during an engagement and many have cost considerations. It may be too expensive to test everything all at once. This is where scope comes in.
The scope of a pentest is the sum of all the boundaries of an engagement, which is a combination of all items to be tested or to be specifically excluded from that engagement. When a consultant says that something is "out of scope" for an engagement. It means that that software, system, network or activity is not allowed within the engagement.
Every penetration engagement has a scope, or some limitations on what should and shouldn't be tested. Organizations can extract the most value out of engagements that are well scoped. Good scoping is granular, cost-effective and focused. A well scoped engagement is granular because it derives specific issues from a single or logical grouping of business function. For example you may have an entire internal network be the scope for an engagement, or you could set the scope of the engagement to a couple of web applications.
A well scoped engagement is cost-effective. If you try to capture too much in one engagement you end up with an assessment that is underscoped. This means that there isn't enough time or personnel allocated to get adequate coverage for an engagement. Conversely, it is possible to overscope something and devote too much time, energy, and man hours to an assessment. Either case the customer suffers because they did not get enough value for the cost incurred.
A well scoped engagement allows security teams time and energy to focus on some specific items. Perhaps you have developers as part of a team to develop and maintain a particular web application. It would probably be a good idea to have a pentest focused entirely on that one web application and present the findings to that team.
How do we assess scope?
Different customers often have different needs and requirements for a pentest. We start off with an initial scoping call as part of our onboarding process. This is followed by a Kick-off meeting closer to the date of the actual test to double check. We also have customers fill out a Scoping Document to designate what items need to be tested and what activities are allowed. These details are absolutely critical part of the assessment. A clear understanding between both parties is necessary to prevent unaffiliated systems from being compromised during the penetration test. It also ensures that all the items discussed will be covered.
Other consulting companies may require a pentest scope questionnaire. This is just another document used to gain a better understanding of what is and isn't allowed to be tested.
Good scoping and bad scoping can make or break a pentest. It's important to ensure that engagements are well scoped to keep them granular, cost-effective and focused. Scoping is one of the initial phases of the penetration testing process and requires effective communication to get the most benefit out of the assessment.
