WHY PENETRATION TEST ?
Penetration testing can identify vulnerabilities in applications, networks and system before they can be exploited, saving organisations money, time and reputational damage.
This can be done in a number of ways, and based on requirements we can scope and perform vulnerability assessment or full-scale penetration tests that assess the security of your applications, networks and system, provide a list of the any vulnerabilities found and their impact and how they can be remediated.
VARYING APPROACHES FOR PENETRATION TESTING
There are a number of approaches for penetration testing, depending on the position of the attacker (internal position vs. external position) and whether the attacker is afforded knowledge of the system or has to gain knowledge of the system through discovery, exploration and reconnaissance techniques.
BLACK BOX - Tester has little to no information about the application / systems under test, simulating an external attacker with limited knowledge of the target.
WHITE BOX - Tester has full (administrator) access, documentation, configuration, source code and knowledge of the application / system / environment under test. More time can be spent on exploiting issues rather than information discovery.
GREY BOX - A trade-off between black and white box. Tester has partial knowledge of / access to the application / system under test without access to source code and less dependency on developer assistance during the test.
PENETRATION TEST PROCESS
We follow a broad methodology for penetration testing, which is determined by the approach above and the amount of information gathering / reconnaisance we have to do, and / or what we are already given.
i). RECONNAISSANCE / INFORMATION GATHERING - The penetration tester attempts to gather information about the target which can be used to plan and construct attacks which can assess the security of the system. It may include an element of threat modelling to identifying potential and likely threats.
ii). VULNERABILITY SCANNING - The penetration tester uses manual techniques and automated scanning tools to explore application, infrastructure and network weaknesses which could possibly be exploited.
iii). VULNERABILITY ASSESSMENT - The penetration tester uses all of the data from the previous two phases to identify potential vulnerabilities and determine whether they can be exploited.
iv). EXPLOITATION - The penetration tester then attempts to infiltrate the system by exploiting the vulnerabilities identified in the previous phase, to gauge what extent is the penetration tester able to exploit these weaknesses and to what extent is the security of the system at risk to attack.
v). REPORTING - The penetration tester prepares and presents a summary of the test with detailed reporting into the test activity, the findings of the test, the exploits achievable and their consequence, the recommendations for remediating issues and improving processes by providing guidelines for future implementation.
THE TYPES OF TOOLS AVAILABLE FOR PENETRATION TESTING
The scope and technologies involved in the penetration test may require more that multiple penetration test tools are used in the exercise, therefore penetration tests require specialists with knowledge of multiple penetration test tools in multiple areas and how to uncover vulnerabilities using them.
STATIC APPLICATION SECURITY TESTING (SAST) TOOLS - Fortify Static Code Analyzer, Veracode, SonarQube - Can we identify potential security issues just by scanning the application source code ?
DYNAMIC APPLICATION SECURITY TESTING (DAST) TOOLS - Fortify WebInspect, OWASP Zed Attack Proxy, Burp Suite Professional - Can we expoit security issues in the running application ?
NETWORK SCANNERS - Zenmap / Nmap - Can we check the network / infrastructure for vulnerabilities such as insufficiently protected open ports ?
PACKET SNIFFERS / NETWORK MONITORING - Wireshark, Telerek Fiddler - Are we able to read and write data transmitted over unsecure or compromised networks ?
SQL INJECTION / DATABASE TAKEOVER - sqlmap - Can we perform SQL Injection attacks to bypass login, return sensitive data from the database or even drop database tables ?
SOFTWARE COMPOSITION ANALYSIS (SCA) TOOLS - OWASP Dependency-Check - Are we using outdated and vulnerable 3rd party components and frameworks in our applications ?
HOW CAN FIMATIX HELP ?
Whether you need advice on your existing penetration testing procedures and processes, whether you need an independent penetration test for compliance or whether you need to establish regular vulnerability assessments and penetration testing into your organisation then FIMATIX can help.