Effort Estimation of Penetration Tests Using the Timeboxing Method

Timeboxing is a central concept of agile software development and is being used in more and more areas. Basically, a timebox refers to the time you have to complete a task. What is special about the timeboxing method is that it ranks the aspect of time higher than content and resources.
This makes it an excellent fit for agile work approaches and sharpens the focus. Another important aspect of timebox management is that the scope and content can change constantly. The timeframe, however, remains the same.

Blocking Time: Timebox vs. Deadline: This is the Difference

Mobile apps and web apps are now regularly developed using agile methodologies. These are less about a deadline and more about a timebox. Although deadline and timeboxing are not mutually exclusive, there are three key differences.

• The deadline is determined by the client, not the development team. The Scrum timebox is different. Here, the team determines which tasks are feasible within a timebox.
• Timebox management aims at processing a certain amount of tasks in a previously defined period of time. Unlike the deadline, there are no consequences if individual aspects are not completed.
• The most important difference between Deadline and Timeboxing is the mindset. With timebox management, the focus is on a self-determined development team. Deadlines, on the other hand, focus on the client's specifications.

The Timeboxing Method in Practice

Timeboxing is an important technique that aims to maintain focus. Therefore, you can use this method both for web application development and for private tasks. In practice, the timeboxing method is based on different steps:

• You define a timebox that you maintain over an extended period of time. In development teams, this is usually 2 or 4 weeks.
• You add a number of tasks to each timebox. It is important to keep track of the timebox as you do this. The more time you have, the more requirements can be accommodated.
• When the time is up, the process is finished - regardless of whether you have completed all tasks. You can transfer open items to the next timebox.

The special thing about this approach: You can even use timeboxing to manage projects that cannot be specified precisely. At the same time, highly dynamic projects are easiest to implement in this way.
Good to know: Traditional planning work focuses on tasks, whereas timeboxing focuses on the sequence of work stages. Therefore, this method is suitable for the development of health apps or DiGAs as well as for complex pentests in the company.

Timeboxing as a Tool for Personal Time Management

With the timeboxing method, you manage to do your work more efficiently. Therefore, you can equally use the approach for private projects or your daily work routine. To do this, you divide the available working time into timeboxes, all of the same size.
Then define the tasks to be done and estimate how long each of them will take. Once you have made this effort estimate, you can divide the tasks into individual timeboxes. Then work through the individual timeboxes one after the other.
By the way, the Pomodoro technique basically follows the same approach. However, it involves very short time windows. With timeboxing, you can make your focus times more generous.

Timeboxing in Classic Project Management

Independent of the agile approach, the Scrum timebox can also be used in classic project management. To do this, you plan your project at the top level with work packages, which you then assign to the respective time period.
However, since this methodology requires a certain rethinking, many project managers opt for a hybrid approach. In this case, they plan part of the tasks in the traditional way. The other part they implement using the timebox. This approach also allows Se to take into account aspects of the project that you cannot accurately estimate in advance.

Timeboxing in the Context of Scrum

The timebox is at home in agile software management. You can use it for infrastructure pentesting, mobile applications or software development alike. After all, every Scrum project is based on defined cycles during which you continuously improve your projects.
In fact, many aspects in Scrum align with the timebox. The user stories in the backlog provide the basis for this. These focus on the added value of the project. The development team breaks each of these stories down into a number of tasks. This is how they then fit into the timebox. The most important timeboxing events in Scrum include:

• Sprint: The sprint is the timeframe available for work. During this timebox, the focus is on all the tasks that the development team has committed to.
• Grooming: This is where the Project Owner and the team create a common understanding of the User Stories.
• Planning: In the Sprint Planning Timebox, the project team commits to the tasks for the next Sprint.
• Review: At the end, team members present what they worked on during the sprint period during the review.
• Retro: This timebox is for continuous progress within the team and takes place at the end of the Sprint. Here you discuss not only problems, but also what went well.
• Daily: The Daily takes place daily and lasts a maximum of 15 minutes. During this timebox, each team member answers the three central questions:
  What did I do yesterday? What am I working on today? Is there anything that is preventing me from working?

Good to know: Each event in Scrum gets its own timebox, for example the Sprint Planning Timebox. It ranges from a few hours to several working days, depending on the duration of the sprint.

The Importance of Timeboxing in IT and Software Development

Timeboxing is an important tool in modern day development. It allows you to sharpen your focus and concentrate better on the tasks at hand. Instead of developing according to the waterfall model, the methodology promotes dynamic software development and allows for continuous improvement. That's why experts like Turingpoint or Atlassian also rely on these approaches.
Timeboxing even works for pentests for different test methods: White-, black- and grey-box tests can vary in scope. The predefined timeframe makes it possible to focus on the most important aspects.
Of course, you need to know the basic IT infrastructure for effort estimation. Because although the Penetration Testing Execution Standard (PTES) provides a set of rules: The actual procedure may differ depending on the company. For example, there are six Linux distributions for penetration testing that are used depending on the environment being tested.
When timeboxing, you must first estimate the effort required for the tasks at hand. Here, it is easier to estimate the general amount of work. In this way, costs and pricing for a pentest become much more transparent. At the same time, it is possible to provide a time frame. During this, security experts can focus on testing standards. This includes, for example, ensuring that the OWASP Mobile Top 10 were taken into account during software development.
Incidentally, timeboxing makes all the difference in the Pentest vs. Red Team Assessment. While penetration tests can be timeboxed relatively easily, this is not the case with the Red Team Assessment. After all, such assessments are supposed to simulate a real attack. And attackers do not stop at the end of the timebox if they were able to penetrate your system.