The exact manner in which a test is carried out depends on the client's wishes and what actually needs to be done. Firstly, an agreement has to be signed. Then, as a starting point, I prefer:
- to work from my own office, where I have my machines and tools set up. It's sometimes possible to transfer some of this equipment to the client site if on-site working proves necessary. Remote working is the norm though - I haven't actually met most of my clients!
- The scope of my testing is clearly defined and confirmed in writing beforehand. In the first instance I normally limit things to "vulnerability assessment," whereby I report potential problems without actually trying to exploit them. I can do full penetration tests if required.
- The duration, fees and deliverables for my testing is agreed beforehand. Test duration starts at one day. I'll quote a fee based on my estimation of how long an agreed test will take. Once agreed, my fee is fixed - no surprises for the client.
- Where possible I work on a copy of the client's website. This would normally be on a temporary URL which only I know about, and is taken down after the test. I can work on the live website if the client so wishes and understands the risks that that might entail to existing customers and their service.
- I receive a valid login/password for the client's system, unless the scope of the test is purely "front door only." I discourage front door tests because typically the vast majority of problems are inside the application itself. Getting access to a system is often a matter of trivial social engineering, or an inexpensive legitimate purchase.
The above is just a guide. My approach is always flexible and I'm happy to take on assignments in whatever manner suits the client.
My typical test procedure is described here.