Skip to content
English
  • There are no suggestions because the search field is empty.

What Are Blockers And How Do I Resolve Them?

During our security assessments, it is essential that key assets, including applications and APIs, are correctly configured to facilitate effective penetration testing and scanning. Below are the most common issues that we see.

Version Number: v1.0.3

Published Date: 17 Oct 2024

____________________________________________________________________________

Below is a list of common blocker reasons and ways to remediate them:

Credentials and Access Tokens: Ensure that valid credentials or access tokens for the application/API are provided. These should be tested ahead of time to confirm they work and are not expired or incorrect. The customer should indicate the specific service account to use and provide detailed instructions on generating tokens for access if needed.

Account Permissions: The accounts provided for assessments must have the correct permissions required for access and the intended testing activities. These permissions should be confirmed and provisioned beforehand to avoid delays during assessments.

API Documentation: Complete API documentation such as Swagger files or Postman collections must be provided. These often require authentication and parameters for assessments which should also be confirmed prior to any assessments starting. Additionally, the documentation should outline expected responses to our test requests to ensure proper configuration and no further delays waiting on clarification.

Jumpboxes: If a Jumpbox is required to access a customers internal/private networks, we must have clear instructions on which Jumpbox to use and how to access it securely. This avoids any connectivity issues during assessments.

License Type: The correct type of license must be applied to the asset for the appropriate type of assessments. For example, internal scanning requires a license that supports internal assessments, and authenticated scanning requires a license that allows credentials to be applied. The wrong license or a lack of license will block the asset and prevent progress until these are resolved.

Scope Definition: Customers need to clearly define the scope of the asset to be assessed, including URLs and endpoints that are explicitly in or out of scope. Incomplete or ambiguous scope definitions, such as providing a base URL without further details, can cause issues in accurately identifying which components to include in an assessment. Additionally if there are underlying API capabilities working in conjunction with URLs for the app, these must be confirmed in or out of scope.

Whitelisting IP Addresses: One of the common blockers we encounter is related to firewall settings on the customer's side, where our IP addresses are restricted from reaching the target hosts due to security filters or network policies. To avoid this, it is critical that the customer whitelists our IP addresses to ensure that our testing traffic is allowed through their security controls.