Penetration Testing (or pen testing) is a mechanism used to verify whether network defenses are functioning as expected. This test simulates the behavior of hackers and malicious users attempting to breach a company’s website, information systems, or devices, and analyzes the target's risk level to assess whether security measures need enhancement. The ultimate goal is to identify and rectify security vulnerabilities before a real attack occurs.
Differences between Vulnerability/Source Code Scanning and Penetration Testing
Vulnerability and source code scanning are performed by automated scanning software. They are cost-effective and quick to execute but can only detect existing vulnerabilities, such as security issues in programming syntax.
Penetration testing, on the other hand, simulates hacker attacks through a combination of tactics to verify whether defenses can be breached. It is more costly but can detect the latest security vulnerabilities in real-time and provide recommendations for remediation. Therefore, penetration testing is more expensive and requires longer preparation.
Types of Penetration Testing
The following types are provided by Cloudflare:
Open-box Pen Test: In an open test, hackers will be given some information about the target company’s security in advance.
Closed-box Pen Test: Also known as a "single-blind" test, in this scenario, hackers receive no background information other than the target company’s name.
Covert Pen Test: Also called a "double-blind" penetration test, in this situation, almost no one in the company is aware that a penetration test is being conducted, including IT and security professionals who would respond to an attack. In covert tests, hackers must clearly define the scope and other details of the test in writing beforehand to avoid legal issues.
External Pen Test: In an external test, ethical hackers attempt to breach the company’s external technology, such as its website and external network servers. In some cases, hackers may not even enter the company’s building. This could mean they conduct attacks remotely or from a truck or van parked nearby.
Internal Pen Test: In an internal test, ethical hackers perform tests from within the company’s internal network. This type of test can determine how much damage a disgruntled employee might cause from behind the company firewall.
Preparation Before Pen Testing
Before conducting penetration testing, it’s common to perform a "vulnerability scan" or "source code scan" and preemptively fix visible vulnerabilities before conducting a simulated penetration to verify if these known vulnerabilities can be exploited for an intrusion.
Additionally, since penetration testing is a form of "vulnerability probing" and involves intrusion into company property, unauthorized penetration testing may be illegal in many countries. Therefore, it is crucial to agree on the test targets (website or host) with the vendor and sign a contract and consent form to avoid legal disputes.
Pen Testing Process
The process of penetration testing includes:
Project Requirements Confirmation: Confirm the testing requirements and sign legal authorization, an essential step to ensure the tester's actions are legal.
Preparation Phase: Confirm the testing methods, scope, and time, and gather publicly available information about the target.
Information Gathering: Develop strategies, gather data, and analyze information according to the OSSYMM framework.
Data Analysis and Vulnerability Scanning: Use OWASP standards to perform risk scanning, pre-emptively eliminating known issues.
Target Penetration: Execute actual penetration actions to attempt to breach the system.
Vulnerability Reporting: After testing, write a report detailing various vulnerabilities and remediation recommendations.
After obtaining the report, the operations team will follow the report’s content to patch the system. Finally, according to the contract, discussions may be held to determine whether retesting is necessary.
Standard Items in Pen Testing
Currently, there is no unified mandatory standard for penetration testing, but tests are usually conducted following public security testing items like OWASP Top 10. Here, we provide three mainstream testing standards: OWASP, OSSTMM, and SANS.
OWASP Top 10
The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to web application security. All of their materials are freely available and easily accessible on their website, enabling anyone to improve their web application security.
The OWASP Top 10 is one of the most widely adopted security checklists globally, with the latest version being OWASP Top 10 2021.
A01:2021 - Broken Access Control
A02:2021 - Cryptographic Failures
A03:2021 - Injection
A04:2021 - Insecure Design
A05:2021 - Security Misconfiguration
A06:2021 - Vulnerable and Outdated Components
A07:2021 - Identification and Authentication Failures
A08:2021 - Software and Data Integrity Failures
A09:2021 - Security Logging and Monitoring Failures
A10:2021 - Server-Side Request Forgery (SSRF)
OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive framework covering areas such as vulnerability scanning, penetration testing, and social engineering. Below are the items listed under the Information Security Testing category:
Footprinting: Identify and gather publicly available information about the target system or network.
Scanning: Use tools and techniques to identify open ports, services, and vulnerabilities in the target system.
Enumeration: Obtain detailed information about the internal structure of the target system or network, such as usernames, system names, and shared resources.
Vulnerability Assessment: Analyze known vulnerabilities in the system and assess their potential impact.
Exploitation: Attempt to exploit identified vulnerabilities to gain unauthorized access to the system.
Post-Exploitation: After gaining system access, further explore and exploit other system resources or data.
Reporting: Summarize the penetration test results, providing vulnerability descriptions and remediation recommendations.
SANS Top 20
The SANS 20 Security Controls, published by the Center for Strategic and International Studies (CSIS), are prioritized mitigation measures that can help improve cybersecurity. They include a set of 20 components to help you address common attack vectors and fix potential vulnerabilities.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises