Pentest Live Environment

Once you have decided to go for a pentest, you may wonder if it should target your production environment.

Depending on the risks, it can be appropriate to pentest either a production environment or a test environment. Below is a summary of the pros and cons for each alternative.

Penetration Test of a Live Environment: Pros and Cons

The best reason to pentest a production environment is that you get a security assessment of the real target.

It enables the pentesters to test the vulnerabilities of the same target that is available to users and to potential attackers.
The pentesters can look at the features, the entire set up of the service, the interactions between features, the integration with third-part services, etc. which is sometimes not possible when a pentest targets a staging environment. 

A penetration test of a production environment therefore enables to test the whole solution and to have a real picture of it while operating.

It can also provide insights about which assets are the most interesting from an attacker’s point of view, and measure when the security tools implemented detect the attacks.

But the question is: Will a pentest of the production environment interfere with the daily activity of the system? What are the real risks?

Although a professionally conducted pentest will not destroy your systems, it can impact the target in several ways. Some tests could add some junk data, fill up tickets, create pop-ups, or provoke some slowing of processes, for instance.

Then, the central question is: What are the risks for your business? And can you accept these risks?

If the risks seem too high, the alternative is to pentest another environment. Typically, a staging, dev or test environment.

Penetration Test of a Test Environment: Pros and Cons

If you go for a pentest of a test environment, it is strongly recommended to set up a target that is identical to your production environment. 
For instance, if the pentest targets a web application, both the application layer and the server configuration should be identical.  This is important to ensure that you will get a useful security feedback from the pentest.
The main advantage of a pentest of a non-production environment is not to impact the users, nor to interfere with the activity.

For that reason, there might be fewer restrictions for the pentest: some vulnerabilities might be further exploited, as for instance there is no repercussion on the company’s data. 
Pentesting a non-production environment can be a good option when data integrity or service continuity is crucial for the company.

In some cases, it really makes sense to pentest:

  • A dev environment: if it will enable the pentesters to test the latest developments that have not been released yet.
  • A test environment: if the target is a software with one instance of the solution set up per client. Then it is worthy to create a new instance dedicated to security audits with a complete data set.
  • A demo environment: if it is ready and representative of the target.

Sometimes, it is possible to go for a mixed approach:

  • The first pentest targets a non-production environment, as the systems may be very vulnerable initially. The second pentest targets a production environment, since the security level of the systems has been improved.
  • The pentest targets a production environment except for denial of service tests that can be run on a pre-production environment if considered particularly risky. But this implies server configuration being identical!

Conclusion

Choosing between a production or non-production environment is a balance to find between getting the most out of the pentest and reducing the risks.

Best is to discuss in detail with your pentest provider what are the impacts you can handle and what you refuse. Specific conditions and restrictions should be discussed beforehand, to ensure you get the full benefit of your pentest.

Keep in mind that your pentest provider should always be monitoring its tests. If a test is having a side effect on the target (especially a production environment), they will stop the tests (and contact you if there are some actions you can take to bring the production back to normal faster).