The following factors should influence the time frame and scope of a penetration test-
What is the purpose of the penetration test? Defining goals in terms of technology and business is crucial to determining the scope and time frame. If the penetration test is to “tick” off an audit item and green-lighted for compliance reports, the scope is considerably less and at an acceptable minimal. If it is to protect best a mission-critical piece of software then the time frame and scope are appreciatively larger.
The stake-holders and the power they wield over the project goes a long way in determining the scope and time frame. If the CISO has been successful in getting on board the CEO, CFO, and the board of directors on the necessity for a deep pen test the scope will increase.
- Delivery date
If the company has committed to clients and resellers with a “delivery date” of the software release, their hands may be forced in shortening the time frame spent on penetration tests.
- Organization culture towards security
As an organization, from the engineers to C-suite executives, the outlook and importance given to “security” goes a long way in determining the scope of pen testing.
The resources and skillsets available to the organization (both in-house and out-sourced) will determine the scope of the penetration testing.
The budget allocated to the penetration testing phase of the SDLC plays a huge factor in determining the time spent and the scope covered.
- Acceptable Risk Acceptance
No penetration test can be exhaustive and complete. The maximum acceptable risk of an organization and of that particular a project varies, and it helps to determine when the pen testing should “end”, and the project should move to production and release.