About Penetration Testing
Penetration Testing itself is a testing process aimed at identifying the security weaknesses of web applications, network infrastructures, wireless devices, and other computer systems. Integrated Assessment Services carries out on Internet-accessible resources for this reason this method of testing is also called White Box Testing or sometimes as Clear Box Testing.
Integrated Assessment Services performs all kinds of testing, test design techniques are applied to derive test cases, but there are additional methods specific for penetration testing. Penetration testing can be done manually by a skilled tester or with the help of an automated tool or robot/agent the latter becoming increasingly the principal approach.
Penetration Testing and Security Assessments by IAS
Testing Strategy /Test Outline/Test Plan
The penetration test should be clearly defined in terms of what is to be tested, how it’s going to be tested and delivered. This should include clear start/endpoints so that all parties know when testing has been completed. A high-level test plan/outline generally includes the following:
- A description of what is to be tested and how including a high-level overview of likely/possible scenarios
- The identification of sources from where information would be collected (e.g., various websites)
- Rules regarding what to do in case sensitive information is found e.g., who to inform; how; what actions to take
Scope of Testing
Depending on the client’s requirements, the scope of testing can vary. Typical items that may be tested include:
- Network (external and internal) – e.g., devices connected to the network, wireless access points, remote connectivity mechanisms etc.• Workstation/Laptop/Server – e.g., desktop operating systems, server processes and services• Web servers (both internal and external)• Applications (e.g., custom inhouse developed, commercial off-the-shelf products, etc.)– Identification of vulnerabilities in both the applications themselves as well as in the environments that they are deployed into (e.g., web servers, databases, etc.)• Services running on the host (e.g., file-sharing services/protocols)• Authentication methodology and associated services/applications
Types of Penetration Test
The types of penetration tests that may be performed include:
White box – which is a test performed with full knowledge of the tested environment
Black box – which is a test performed without knowledge of the tested environment
Greybox – which is a test that combines both black-box and white-box techniques
Red box – mimicking an attacker who has compromised a host e.g., server, mobile device, PC, etc. by obtaining illegitimate access to resources through the exploitation of a vulnerability.
Other methodologies include:
Parallel testing – which is the process of running different test cases simultaneously thereby increasing efficiency and speed
Offensive Security – also known as “offensive hacking" or “black hat hacking", it’s an approach to information security that focuses on exploiting weaknesses in a computer system or network.
Fully Un-Automated Penetration Testing:
Integrated Assessment Services offer fully un-automated penetration testing service where we find and exploit all possible vulnerabilities in a given system. In this testing, IAS experts use vulnerability scanners to look for known software flaws that may be exploited by hackers. The weaknesses found are then used to access the system to identify even more vulnerabilities. IAS experts will come up with their own custom tools and scripts in order to exploit the identified vulnerability, thereby delivering a realistic simulation of an automated hacking attempt.
API Security Penetration Testing
Application Programming Interface (or API) is designed to let one software component call upon another software component for services without knowing much about the other component. For instance, you need to make a call to the Facebook API in order to upload a picture or add a comment on your friend’s Facebook wall etc.
The effectiveness of the security level of an application depends upon how secure and reliable its APIs are. Developers generally take care while writing code for an API but still there are chances of coding mistakes.
There are many API-related security issues that can be identified and fixed as follows:
Brute Force Attack – The API key is guessed one at a time until the correct one is found.
DoS (Denial of Service) through API Abuse – Memory/CPU usage is increased to the point where it affects the entire system rather than just the API.
an in the Middle Attack – An attacker intercepts messages sent between two parties and modifies them before forwarding them.
Security testing of APIs is also crucial for mobile applications that connect to multiple back-end services including authentication, database, website etc. Mobile developers must ensure that each API has been tested according to the OWASP Mobile API Security Testing Cheat Sheet.
IAS provides worldwide professional guidance on the best-practice usage of secure web technologies such as HTML, HTTP, URL, XML/XSLT, etc. This cheat sheet provides guidelines for testing APIs in order to detect various vulnerabilities that may lead to poor security posture.
Contact IAS for
Contact IAS today to learn more about penetration testing, or visit our penetration testing frequently asked questions page!
Also Visit our blog page to learn more about ISO Certification.