One thought on “Do I Need to Use a Dev Environment for a Penetration Test?

  1. Arti says:

    We perform assessments with great care, with the goal that you don’t even know we’re there (unless of course you’re monitoring SIEM alerts like you should be). Over 95% of assessments don’t have any negative effects whatsoever on the target organization, and the ones that do experience issues are usually because of a significant misconfiguration or security vulnerability. The key point here is that the dev environment has to be as close to production as possible to ensure the testing is valid and useful (and that things in production aren’t missed). But for a lot of types of penetration testing, the risk of any kind of business disruptions are already extremely low. The main idea behind using a dev environment for a penetration test is to lower the associated risk of the testing being performed while still finding vulnerabilities on the systems. One of those ways that we talk about a lot is using a development or cloned environment for a few types of testing, so let’s talk through in a little more detail when it may or may not make sense to use a dev environment for a penetration test. Many of them have been through this process many times before, have had a multitude of alternative tests performed, and are not concerned in the slightest that testing will cause any sort of disruption. On the other side of the spectrum, a few clients may be having a penetration test performed for the first time and have no idea what to expect, having only the “worst-case scenario” horror stories they’ve read online to go off. Organizations have varying levels of concern when it comes to a penetration test. Whatever the case may be, we’ve talked through ways to avoid potential problems with penetration tests in a few of other blogs, which include how to prevent problems during a penetration test and what can go wrong during an internal penetration test.

Leave a Reply

Your email address will not be published.