2

If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition happen?

Furthermore, does the term "full scope" exist? By "full scope", I mean pen testing the whole software without defining a scope for the pen testers.

Note: the software is java based (java thick client to server)

Improve this question

1 Answer 1

Reset to default
1

It's your software. You can define the scope, even if it is the entire thing.

The potential issue might be cost. The costs of testing some areas of the software might be so high and the time to complete might take so long, that the pen testers might advise on a smaller scope in order to stay within your budget.

Improve this answer
10
  • ah okay, and when defining scope in a huge software, what the scope would be like? a written form of document listing the areas covered in the scope? if there's a good reference on how to define a scope that would be great!
    – ethicalhacker
    Commented May 4, 2022 at 12:55
  • Are you the software owner or a tester? There are well-established documents to guide testers.
    – schroeder
    Commented May 4, 2022 at 13:24
  • @ethicalhacker For a fat client, that's usually the client software, as well as a list of IP addresses the software interacts with. So you could say something like "The entire fat client is in scope. The client communicates with a licensing server at 10.202.107.19 - that server is not in scope." By doing that, I as a pentester would know pretty well what i am supposed to test.
    – user163495
    Commented May 4, 2022 at 14:12
  • @schroeder I am software owner, not the tester.
    – ethicalhacker
    Commented May 4, 2022 at 15:22
  • @MechMK1, I see your point but still it's not clear for me how much should I detail the scope? like in your example, the entire fat client, is that enough? or should I specify for example: the login page of the fat client? the authentication/authorization mechanism for example? hope you understand my confusion.
    – ethicalhacker
    Commented May 4, 2022 at 15:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .