Should you do a demonstration of your solution to pentesters

Before starting a pentest, should you present your product or solution to pentesters? It all depends on your situation and on your objectives!

What are the advantages of not doing a demonstration?

If you want to assess the security of your solution under realistic and as close as possible conditions to a cyberattack, it is better not to do a demonstration to pentesters.
During the penetration testing, they discover then the solution during their preparation, through information available online and along their attacks.
They put themselves in the shoes of an attacker, follow the same thinking path and will see the same sensitive points.

By letting the pentesters discover your product or solution, they can take a fresh look at your situation. Moreover, they will not focus tests on elements you would have indicated: they will define themselves the priority attacks based on the information they collect.

Not making a presentation of your solution suits products that are functionally simple. Pentesters are used to and experienced to test various solutions, which allows them to identify the product’s operating processes without the need of a presentation.

This approach without demonstration is an external pentest. Just like an attacker having access to your solution from the internet, pentesters find and test elements available for all. These accessible and available online elements are parts to be carefully controlled, as they might experience general or targeted attacks.
The pentest can be Black Box or Grey Box.

What are the advantages of doing a demonstration?

Presenting your solution before starting a pentest has the advantage to give to pentesters a good understanding of your product. This is relevant for complex business solutions, for which the workflow is specific and industry-related. Attacks carried out will be then wise regarding the particular stakes of the activity. Moreover, a good understanding of the business logic is essential to test logic flaws.

Having a demonstration is also an advantage for in-depth pentests, which aims to assess in detail the security of a solution. Knowing beforehand the articulation of functionalities makes it possible to test them better and not to forget elements that are used by the product.
This is also suitable for products which evolve in the way they work or for which new features are added regularly.

Finally, the presentation enables pentesters to establish an attack plan at the beginning of the security audit, in order to optimize the time allocated for the audit. They directly target the important parts to test, as they know how your product works.

To conclude, doing or not doing a demonstration of your product to pentesters before an audit depends on your objectives. Take some time to think about your needs, and do not hesitate to discuss with your pentest provider, in order to choose what best fits your situation.

To receive other articles: click here