Penetration Testing

Ideally, software and systems were designed from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well that aim was achieved. Pen testing can help an organization

• Find weaknesses in systems
• Determine the robustness of controls
• Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)
• Provide qualitative and quantitative examples of current security posture and budget priorities for management

Depending on the goals of a pen test, testers are given varying degrees of information about, or access to, the target system. In some cases, the pen testing team takes one approach at the start and sticks with it. Other times, the testing team evolves its strategy as its awareness of the system increases during the pen test. There are three levels of pen test access.

• Opaque box. The team doesn’t know anything about the internal structure of the target system. It acts as hackers would, probing for any externally exploitable weaknesses.
• Semi-opaque box. The team has some knowledge of one or more sets of credentials. It also knows about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.
• Transparent box. Pen testers have access to systems and system artifacts including source code, binaries, containers, and sometimes even the servers running the system. This approach provides the highest level of assurance in the smallest amount of time.

Pen testers simulate attacks by motivated adversaries. To do this, they typically follow a plan that includes the following steps:

• Reconnaissance. Gather as much information about the target as possible from public and private sources to inform the attack strategy. Sources include internet searches, domain registration information retrieval, social engineering, nonintrusive network scanning, and sometimes even dumpster diving. This information helps pen testers map out the target’s attack surface and possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test; it can be as simple as making a phone call to walk through the functionality of a system.
• Scanning. Pen testers use tools to examine the target website or system for weaknesses, including open services, application security issues, and open source vulnerabilities. Pen testers use a variety of tools based on what they find during reconnaissance and during the test.
• Gaining access. Attacker motivations can include stealing, changing, or deleting data; moving funds; or simply damaging a company’s reputation. To perform each test case, pen testers determine the best tools and techniques to gain access to the system, whether through a weakness such as SQL injection or through malware, social engineering, or something else.
• Maintaining access. Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals of exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact.

There is no one-size-fits-all tool for pen testing. Instead, different targets require different sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration of the network. Broadly speaking, the types of pen testing tools fit into five categories.

• Reconnaissance tools for discovering network hosts and open ports
• Vulnerability scanners for discovering issues in-network services, web applications, and APIs
• Proxy tools such as specialized web proxies or generic man-in-the-middle proxies
• Exploitation tools to achieve system footholds or access to assets
• Post exploitation tools for interacting with systems, maintaining and expanding access, and achieving attack objectives

Although pen testing is mostly a manual effort, pen testers do use automated scanning and testing tools. But they also go beyond the tools and use their knowledge of the latest attack techniques to provide more in-depth testing than a vulnerability assessment (i.e., automated testing).

Manual pen testing

Manual pen testing uncovers vulnerabilities and weaknesses not included in popular lists (e.g., OWASP Top 10) and tests business logic that automated testing can overlook (e.g., data validation, integrity checks). A manual pen test can also help identify false positives reported by automated testing. Because pen testers are experts who think like adversaries, they can analyze data to target their attacks and test systems and websites in ways automated testing solutions following a scripted routine cannot.

Automated testing

Automated testing generates results faster and needs fewer specialized professionals than a fully manual pen testing process. Automated testing tools track results automatically and can sometimes export them to a centralized reporting platform. Also, the results of manual pen tests can vary from test to test, whereas running automated testing repeatedly on the same system will produce the same results.