Penetration Testing Uncovered Part 1

Have you ever wondered what a company does when they do a penetration test for you?

How about effectively preparing to get the most out of your engagement? Well, read on, you may find a few tips to get you thinking about how you approach your next test as well as get a basic understanding of penetration testing.

This is the first in a series of discussions on the topic.

What is a penetration test?

Lets start by looking at what a penetration test is – it is an unbiased security assessment of your product. The key thing here is that it is unbiased so it needs to be performed by someone outside the team who developed it. This can mean that you engage an external vendor to complete this for you or if you work in a large organisation you may have security experts in other teams who may be able to complete this for you. A penetration test is a type of security assessment that stimulates a real-world attack against one or more of your targeted assets. These assets can be networks, web applications, devices, infrastructure or anything else you think is important enough. These days with web applications being the target of more that 75% of attacks, we are seeing more and more penetration tests being done on web applications.

All good penetration tests, at a minimum, will ensure they cover the OWASP (Open Web Application Security Project) top 10 vulnerabilities which are a list of the current top vulnerabilities seen in the security community. For those of you who are curious of what these are, the 2013 OWASP top 10 can be found here. No matter what sort of penetration test you engage in, or any security service for that matter, choosing your provider will be key in how effective your engagement will be. Some of the things to consider when deciding who you choose for your penetration test are who will actually be doing the test for you – do they have strong security knowledge? What are the techniques they will be using? What are the tools they will be using? They need to have a deep technical knowledge of testing environments and an innate knowledge and curiosity for breaking software security. If you are interested in more information on effectively choosing a security provider, you may be interested in reading my article on Choosing a Security Firm which you can find here

Back to penetration testing….

There are three broad types of penetration tests -

Black Box Testing – This is where penetration testers have no knowledge of how an application works or have been given any insights into its structure

White Box Testing – In this instance, the penetration tester has full knowledge of the source code and are able to test the application at that level. Knowing the source code allows testers to design test cases based upon this knowledge

Grey box testing – In this case, penetration testers have partial knowledge into the internal structure of the application.

What type of penetration test your application needs will depend on the scope of the project. In our experience, by far the most popular form of testing is white box testing as this allows you to specify what area of the application you would like to have the penetration testers focus on. There is also the reality of not being comfortable with having complete exposure of your applications to third parties and effectively giving penetration testers the green light to go their hardest. When considering what type of penetration test you need, think about why you are doing one in the first place and make it clear what your objectives are when scoping the project with your chosen security firm who should be able to provide you with recommendations to best achieve your objectives.

Why are penetration tests conducted?

So that brings us to the next question – why do organisations ask for penetration tests to be completed on their applications? In our experience, the most common reason organisations come to us for penetration tests are:

Meeting regulatory requirements (PCI being the main one in Australia)

Meeting their customers requirements ( given our lack of regulation enforcement of information security in Australia, in our experience, this is the main reason we find penetration tests are requested)

Validating a risk or vulnerability management program’s effectiveness

Building a case for the importance of security by demonstrating the consequences of unaddressed vulnerabilities.

In Australia, there currently is very little by way of regulatory requirements calling for increased information security through vulnerability assessment or penetration testing however, there is a possibility that this is set to change. At the time of writing this article, the Australian Federal Government has introduced mandatory data breach notification law into parliament in a move which could see the policy enforced by March next year. You can read more about this development here. This could see organisations start to tighten their own security policies around penetration testing and security policies. Time will tell.

Another point considered by organisations when thinking about penetration tests as part of their overall security strategy is where they are in the supply chain. This helps them work out how much of a target they actually are. Whilst technically any web application is open to attack, considering this point assists in working out how attractive of a target they are. Obviously the closer you are to cash, the closer you’ll be to getting attacked. The importance lies not in what you are doing but in qualifying the risks you face.

Another point to consider is whether your customers will be performing penetration tests on your products as part of maintaining and improving their security posture. What are the implications to your business if your customer finds a vulnerability in your product through their testing? We have had several cases where this has occurred on our engagements and it was never a good look for the upstream provider.

Of course, beyond what has been touched on here, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally the question of whether the security of the system can be breached.

Stay tuned for my next installment where I will go through the practical side of what you need to have in place prior to starting your engagement and what to consider throughout the engagement to ensure you get the most out of each penetration test you complete.

Thanks for stopping by.