Once you have decided to go for a penetration test, you may wonder if it should target your production environment.
Depending on the risks, it can be appropriate to perform the security audit either on a production environment or a test environment. Below is a summary of the pros and cons for each alternative.
Perform a Penetration Test on a Production Environment: Pros and Cons
The best reason to perform a penetration test on a production environment is that you get a security assessment of the real target.
It enables the pentesters to test the vulnerabilities of the same target that is available to users and to potential attackers. They can look at the features, the entire set up of the service, the interactions between features, the integration with third-part services, etc. which is sometimes not possible when a pentest targets a staging environment.
A penetration test on a production environment therefore enables to test the whole solution and to have a real picture of it while operating. It can also provide insights about which assets are the most interesting from an attacker’s point of view, and measure when the security tools implemented detect the attacks.
But the question is: Will a pentest on the production environment interfere with the daily activity of the system? What are the real risks? Although a professionally performed penetration test will not destroy your systems, it can impact the target in several ways. Some tests could add some junk data, fill up tickets, create pop-ups, or provoke some slowing of processes, for instance.
Then, the central question is: What are the risks for your business? And can you accept these risks? If the risks seem too high, the alternative is to perform a pentest on another environment. Typically, a staging, dev or test environment.
Perform a Penetration Test on a Test Environment: Pros and Cons
If you go for a pentest of a test environment, it is strongly recommended to set up a target that is identical to your production environment.
For instance, if the pentest targets a web application, both the application layer and the server configuration should be identical. This is important to ensure that you will get a useful security feedback from the pentest.
The main advantage of a penetration test on a non-production environment is that it does not impact the users or interfere with the activity. For that reason, there might be fewer restrictions for the pentest: some vulnerabilities might be further exploited, as for instance there is no repercussion on the company’s data.
A penetration test on a non-production environment can be a good option when data integrity or service continuity is crucial for the company. In some cases, it really makes sense to pentest:
- A dev environment: if it will enable the pentesters to test the latest developments that have not been released yet.
- A test environment: if the target is a software with one instance of the solution set up per client. Then it is worthy to create a new instance dedicated to security audits with a complete data set.
- A demo environment: if it is ready and representative of the target.
Sometimes, it is possible to go for a mixed approach:
- The first pentest targets a non-production environment, as the systems may be very vulnerable initially. The second pentest targets a production environment, since the security level of the systems has been improved.
- The pentest targets a production environment except for denial of service tests that can be run on a pre-production environment if considered particularly risky. But this implies server configuration being identical!
In conclusion, choosing between a production or non-production environment is a balance to find between getting the most out of the pentest and reducing the risks.
Best is to discuss in detail with your pentest provider what are the impacts and risks you can handle and what you refuse. Specific conditions and restrictions should be discussed beforehand, to ensure you get the full benefit of your pentest.
Keep in mind that your pentest provider should always be monitoring its tests. If a test is having a side effect on the target (especially a production environment), they will stop the tests (and contact you if there are some actions you can take to bring the production back to normal faster).