Pen-testing: An overview
Penetration testing (Pen-testing) empowers businesses to evaluate and understand the strength of their cybersecurity measures. Trusted pen-testers simulate cyber-attacks under secure conditions to check if the defense measures are effective in stopping plausible breaches/ attacks and submit a report post-testing with the status and suggestions for countermeasures to reduce risks.
Benefits of Penetration Testing
Pen-testing enables businesses to evaluate their security measures and ensure that they are well-protected against and well-equipped to handle security breaches and cyber-attacks. It enables businesses to identify unknown vulnerabilities, zero-day threats, business logic flaws, security misconfigurations and weaknesses (often missed by automated tools such as scanners) that weaken cybersecurity and increase risk.
Pen-testing ensures that businesses are saved from unnecessary downtimes, productivity losses, reputational losses as well as financial losses that result from successful cyber-attacks and ensures business continuity.
Penetration testing is mandated by Governmental and other legal agencies. So, it is necessary for regulatory, certification and compliance purposes. For instance, PCI-DSS, HIPPA, etc. make pen-testing mandatory and businesses that do not comply are levied with heavy penalties.
Types of Pen-testing
Black Box Pen-testing:
Penetration testing is of two types: Automated Penetration Testing and Manual Penetration Testing. In Automated Penetration Testing, software and tools are used to detect vulnerabilities of an application. Manual Penetration Testing is divided into 3 parts:
Grey Box Pen-testing:
Only valid credentials to access the system and an application walkthrough is arranged to let the pen tester find vulnerabilities from the application post login.
White Box Pen-testing:
Along with valid credentials to access the system, the source code of an application is also provided that gives full insight and control of an application to the pen tester and they use application logic and source code to find and report vulnerabilities.
Techniques or Methodologies of Pen-testing?
All the relevant information with respect to the scope of the work needs to be gathered before initiating the actual audit. The best way to perform an Application Audit is by combining manual and automated techniques. This is a well-known approach for finding maximum vulnerabilities or loopholes of an application.
The process of Web Application testing is as follows:
Module Enumeration
The first and foremost step in the process of testing is to understand the application, its features, functionalities, etc., and accordingly create a data or process flow chart.
Discovering the modules or functionalities of an application either manually or by using tools and understanding the data paths and in some cases initialization process is important.
Test Case Development
Various inputs, data, and exchange fields used in each module are enumerated. Identify the data types accepted by each of these fields and enlisting each permutation and combination that could be used in these fields. Create a case that could be used to test the application.
Case Validation
Each test result is further validated and verified by completing an attack cycle. This is done to reconfirm the process and to understand the flaws in the application. Validating a case may also be useful to recommend an accurate recommendation procedure.
Test Database
Every test case created is compared with the possible attacks listed in the attack database. A permutation of each case and attack is created and added to the test database. Sample values and/or ranges are set in each test case in the test database. A test success criterion is also documented in each of the test cases.
Application Assessment
In order to conduct a comprehensive Application Assessment, it is vital to have a broad and flexible testing methodology to uncover the most stubborn vulnerabilities.
An application testing methodology should leverage dozens of grey-box and black-box tests to better understand the workings of the applications while identifying vulnerabilities.
Generally, it is important to fully understand the unique circumstances around each application and what the primary concerns are?
A testing methodology should examine the risk related in each of the following areas (primary focus can be tailored to any specific area):
- Exposure and integrity of confidential information
- Exposure and integrity of confidential employee information
- Denial of service risk to application or application components
- Network infrastructure exposure via application vulnerabilities
Detailed Application Risk Assessment Methodology
An Application Assessment methodology should primarily focus on test classes. A test class is defined as a specific area of expertise like Architecture, Business Logic, Development Procedures, etc., which is tested through an overall examination of applications deployed and security configurations taken from the threat models.
An application assessment methodology should primarily focus on the following test classes:
- Architecture
- Business Logic
- Development procedures
- Authentication
- Transmission security
- Session management
- Information or data leakage
- Input validation
- Logic flow and authorization
- Data corruption
- Application deployment
Secure Deployment Methodologies for an application type is based on Market Trends, New Vulnerability Developments, and Attack Methodologies.
Reporting
Finally, when an assessment is completed, a report on the respective methodologies used to carry an audit should be disclosed to the respective web application owner.
A detailed report should include the following:
- Standards followed
- Tools used
- List of vulnerabilities identified
- Descriptions of vulnerabilities
- Risk rating or severity of the vulnerabilities
- Proof of Concept
- Recommendations
