Logistics

The exact manner in which a test is carried out depends on the client's wishes and what actually needs to be done. Firstly, an agreement has to be signed. Then, as a starting point, I prefer:

• to work from my own office, where I have my machines and tools set up. It's sometimes possible to transfer some of this equipment to the client site if on-site working proves necessary. Remote working is the norm though - I haven't actually met most of my clients!
• The scope of my testing is clearly defined and confirmed in writing beforehand. In the first instance I normally limit things to "vulnerability assessment," whereby I report potential problems without actually trying to exploit them. I can do full penetration tests if required.
• The duration, fees and deliverables for my testing is agreed beforehand. Test duration starts at one day. I'll quote a fee based on my estimation of how long an agreed test will take. Once agreed, my fee is fixed - no surprises for the client.
• Where possible I work on a copy of the client's website. This would normally be on a temporary URL which only I know about, and is taken down after the test. I can work on the live website if the client so wishes and understands the risks that that might entail to existing customers and their service.
• I receive a valid login/password for the client's system, unless the scope of the test is purely "front door only." I discourage front door tests because typically the vast majority of problems are inside the application itself. Getting access to a system is often a matter of trivial social engineering, or an inexpensive legitimate purchase.
• A copy of the source code behind the website is not normally required - I perform "black box" system testing. If the system is such that I might benefit from having a copy of the source code, and the client is willing to give it to me, I would accept responsibility for that source code under any reasonable Non Disclosure Agreement.
• I deliver a written and minuted report on what sort of attacks were attempted, which ones uncovered problems and what the remedies for those problems might be. Depending on location, I can sometimes attend a client's site to present or discuss my findings.
• The final report can be written to contain relevant, targeted advice, as requested by the client. This might include advice on how to reduce an application's exposure, how to harden a system against attack using intrusion detection, application and system level firewalls, secure coding methods, and so on. Such points don't normally appear in a report and their inclusion will be agreed in advance.

All aspects of the test procedure are negotiable and ultimately within the client's control. I'm happy to perform the exact test procedure the client requires.