Survival Tactics for Managing Penetration Tests
Consultants have to wear many hats and occasionally that includes being a project manager for the more complex assessments. While traditionally there are project managers or customer relations leaders that handle this, it usually bleeds over to the penetration testers at some point. I’ve been “blessed” with being the prime candidate for these types of activities with my employer as of late, so I’ve learned a few things to help keep you alive and well.
Understand responsibilities
It’s imperative to understand what all stakeholders hope to get out of the project and the responsibilities of each resource to achieve it. More importantly, understand that your role is to push the project along to success which primarily consists of removing roadblocks for your testers and anticipating what’s needed next. While you likely have a hand in the technical deliverables, know that the success of this project is directly attributed to your actions.
Over communicate, effectively
- Determine update cadence with the customer as well as your internal team at the start of the project. Aim for updates to be spaced out far enough for work to be completed so they are actually useful.
- Keep communications brief and concise. Most companies send testing start and stop notifications, so they don’t need to be that detailed. Your updates should collectively pool together statuses for each assessment; not give up to the minute details of singular tasks.
- Give your customer a schedule even when they don’t ask for it; it gives them a warm and fuzzy. Also, the testers can benefit by visualizing your expected timing of events.
- Bake in deadlines for milestones… not activities. Meaning don’t track a vulnerability scanning task but rather when an external assessment has been completed at the first office location.
- If appropriate, set a deadline for the project as a whole but not a deadline for individual tasks. This gives you flexibility to ramp up and down resources based on other commitments.
- I can’t stress this enough, follow up all calls/meetings with a recap email that contains highlights and any assignments with their respective leaders. This will ensure that you understood the conversation correctly, give others an opportunity to clarify or get clarity, and creates a written copy to reference at a later date.
Understand Penetration Testing is an art
This is where I’ve seen most project managers fail. You can ballpark how long an assessment will take all you want, but you won’t know until you jump down the rabbit hole. I’ve tested similar applications and networks and they’ve taken drastically different amounts of time due to the findings. Of course, you’ll need a cutoff time to remain profitable but stay away from measuring down to the minute of when a task will finish. It’s better to get a sense of where the penetration tester is in the process rather than measuring how long his scan is going to take. I really hope that this remains true for you, otherwise you probably work at a pen test puppy mill that simply hits scan buttons and doesn’t dive deep enough to find the juicy stuff.
Move the documentation along
Documentation can really slow the momentum of a project to a crawl, which is why it’s important to stay on top of it. Each company has their own method to the madness, but they typically include QA and update iterations. If your assessment has multiple components, shoot each component through QA as they finish rather than doing it all at once. The final review is a breeze, the testers can move on to the fun stuff, greater focus can be given in short bursts, and most importantly you can spot issues early.
Play nice
Act as the buffer that blocks your testers from the bureaucracy and red tape, so they can focus on their work. Your testers will respect the fact that you keep the lions at bay and reward you by giving you what makes your life easier too (on time!). Treat your stakeholders as if you are the solution success liaison, you are working for them to get what they want. They want to feel like work is being done timely, thoroughly, and cost friendly. Following some of the above suggestions will leave them with a sense of confidence and usually deters you from being bugged frequently.
Don’t panic
If things aren’t going as well as they should or the project is drastically behind, don’t panic. I’ve encountered more often than not that deadlines are made up by sales or just pulled from thin air. Almost always there is a way to move forward and keep your customer happy, but it starts by talking with your team from the aspect that it’s a shared problem and not just theirs. If you keep a cool but concerned mannerism, your stakeholders will follow suite. Nothing sets a team on edge more than the glue of the team freaking out. They’ll assume you have more information than they do on the situation and it’s all bad news.
Ask questions
No one expects you to be all-knowing in all areas, so ask questions when you are unsure. Your testers will appreciate that you value their input and it allows you to manage the optics more effectively. However, don’t ask the same question more than once as it shows you are unorganized and not listening attentively.
Summary
In short, ensuring you are communicating effectively, setting expectations, and keeping your cool will keep you out of hot water. I’m happy to share some templates or additional fine-tuned tactics if you reach out to me. Good luck!