To ensure full coverage of your application, you may want to or need to provide test credentials.
If your program requires test credentials to properly test, the key is to make sure that access to these as accessible and hassle-free as possible, as with anything else in your program testing setup.
Some questions to ask yourself when setting up the test environments/ test credentials:
Do the test environments contain (fairly) representative data?
Are cross-tenancy issues important? In that case you may need to provide users sets for two separate environments.
Do I need to provide a permission matrix to make sure the roles and expected permissions are understandable? This also helps prevent false positive reports.
Below are the different options for distributing test credentials, as well as the options for 2FA.
Credential upload into the Intigriti platform
Intigriti allows to upload credentials (email address, password, URL; multiple sets) into the platform. This way, researchers can automatically claim up to three sets of credentials from the platform.
The upload allows to provide multiple different users per one set of credentials. So when a researcher claims one set of credentials, they can claim a user with read-only rights, a user with intermediate admin rights and a full admin, to test against horizontal privilege escalation. One set can also contain test credentials for two different tenants, so that researchers can test against cross-tenancy.
Contact your customer success manager who can provide you with the .csv template and more specific instructions.
If, for some reason, it is not possible to create an ample amount of test credentials (50-100), this can be challenging. In some cases, test account rotation can be considered to overcome this issue. Rotation means, simply put, that we populate the .csv file with two times the same set of 25 instead of a unique set of 50 accounts. Once the 25th set has been claimed, we start again from the first set.
Things to consider:
Can users reset their password without accessing the mailbox? If yes, can we block them from resetting the password? If so, it's easier to rotate the credentials, less chance that researchers will (accidentally) block others out.
Can we cleanup the accounts automatically every month or so to make it easier to share?
Is 2FA available? If so, can we disable this? Again If so, it's easier to rotate the credentials, less chance that researchers will (accidentally) block others out. More about a 2FA setup can be found here.
Limitations of the Upload method
If the test credentials contain other information than just email, password and URL. For example, sometimes a license code is required, or a (fake) social security number
If there is a manual action needed to be able to provide the test credentials to a researcher (this is to be avoided where possible, since this can be a barrier for program activity)
When different parts of the scope require different sets of test credentials, using the .csv file and uploading the sets can get complicated. This is especially true if the assets are not added at the same time, because it would mean we have to upload a new file every time new scope is added and we have to manually clean out already-claimed credentials while doing so. In this case, we prefer to use the method of manual distribution.
You can opt to manually distribute the test credentials through Intigriti support. This means you send us the test credentials and we provide them on request to researchers on the program.
This is a solution in case other information needs to be distributed like a license code or social security number.
What about 2FA?
There are 3 options for 2FA setup, depending on the restrictions on the customer side.
Researchers can enter their 2FA method on first login. This is the easiest way and requires no further action.
Connect the 2FA accounts with a Twilio number that we provide. This way, the codes are sent to an Intigriti-managed Discord channel where researchers can pick up the 2FA code.
Preset the 2FA for the user and distribute the QR codes needed for the setup. Intigriti can then manually distribute these to the users that request them.
Is credential rotation possible with 2FA enabled?
Yes, but only if:
You can link the verification code to our public 2FA-discord channel via a phone number. This discord channel is publicly available and might break the confidentiality of a private program if data such as company name is included in the 2FA message.
If authenticator apps are supported, we can share the QR-link with the researchers.