Penetration Testing

Pay to attack yourself, but it's great if you know in advance what you will be attacked.

Penetration Testing
Pay to attack yourself, but it's great if you know in advance what you will be attacked.

Definition

A penetration test (pen test) is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system.

What are the benefits of penetration testing?

Pen testing can help an organization

  • Find weaknesses in systems
  • Determine the robustness of controls
  • Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)
  • Provide qualitative and quantitative examples of current security posture and budget priorities for management.

How much access is given to pen testers?

Depending on the goals of a pen test, testers are given varying degrees of information about, or access to, the target system.

There are three levels of pen test access:

  • Opaque box. The team doesn’t know anything about the internal structure of the target system. It acts as hackers would, probing for any externally exploitable weaknesses.
  • Semi-opaque box. The team has some knowledge of one or more sets of credentials. It also knows about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.
  • Transparent box. Pen testers have access to systems and system artifacts including source code, binaries, containers, and sometimes even the servers running the system. This approach provides the highest level of assurance in the smallest amount of time.

What are the phases of pen testing?

Pen testers simulate attacks by motivated adversaries. To do this, they typically follow a plan that includes the following steps:

  • Web apps. Testers examine the effectiveness of security controls and look for hidden vulnerabilities, attack patterns, and any other potential security gaps that can lead to a compromise of a web app.
  • Mobile apps. Using both automated and extended manual testing, testers look for vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Server-side vulnerabilities include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities.
  • Networks. This testing identifies common to critical security vulnerabilities in an external network and systems. Experts employ a checklist that includes test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, and more.
  • Cloud. A cloud environment is significantly different than traditional on-premises environments. Typically, security responsibilities are shared between the organization using the environment and the cloud services provider. Because of this, cloud pen testing requires a set of specialized skills and experience to scrutinize the various aspects of the cloud, such as configurations, APIs, various databases, encryption, storage, and security controls.
  • Containers. Containers obtained from Docker often have vulnerabilities that can be exploited at scale. Misconfiguration is also a common risk associated with containers and their environment. Both of these risks can be uncovered with expert pen testing.
  • Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as medical devices, automobiles, in-home appliances, oil rig equipment, and watches have unique software testing requirements due to their longer life cycles, remote locations, power constraints, regulatory requirements, and more. Experts perform a thorough communication analysis along with a client/server analysis to identify defects that matter most to the relevant use case.
  • Mobile devices. Pen testers use both automated and manual analysis to find vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Vulnerabilities in application binaries can include authentication and authorization issues, client-side trust issues, misconfigured security controls, and cross-platform development framework issues. Server-side vulnerabilities can include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities.
  • APIs. Both automated and manual testing techniques are used to cover the OWASP API Security Top 10 list. Some of the security risks and vulnerabilities testers look for include broken object level authorization, user authentication, excessive data exposure, lack of resources / rate limiting, and more.
  • CI/CD pipeline. Modern DevSecOps practices integrate automated and intelligent code scanning tools into the CI/CD pipeline. In addition to static tools that find known vulnerabilities, automated pen testing tools can be integrated into the CI/CD pipeline to mimic what a hacker can do to compromise the security of an application. Automated CI/CD pen testing can discover hidden vulnerabilities and attack patterns that go undetected with static code scanning.

What are the pros and cons of pen testing?

Pros of pen testing

  • Finds holes in upstream security assurance practices, such as automated tools, configuration and coding standards, architecture analysis, and other lighter-weight vulnerability assessment activities
  • Locates both known and unknown software flaws and security vulnerabilities, including small ones that by themselves won’t raise much concern but could cause material harm as part of a complex attack pattern
  • Can attack any system, mimicking how most malicious hackers would behave, simulating as close as possible a real-world adversary

Cons of pen testing

  • Is labor-intensive and costly
  • Does not comprehensively prevent bugs and flaws from making their way into production