Penetration testing is performed to determine vulnerabilities in network, computer systems and applications. Standard penetration testing process involves analysis of conventional vulnerabilities and either software testing or network security scanning. The Testbytes penetration testing approach is a bit different from the usual vulnerability assessment tests. We focus on catering to your needs with a testing process that reflects quality.
The Process
The penetration testing process involves three phases: pre-engagement, engagement and post-engagement.
Pre-engagement
Planning and preparation
A successful penetration testing process involves lots of preparations before the actual testing process begins. It is important for every party involved in the testing process to be informed about every new step taken. Therefore, holding a meeting between the testers and the clients is the best way to start.
Purpose of the penetration test
If there is no clear purpose for conducting the penetration test, the results won’t be great. Therefore, the objective of penetration testing is determined during the meeting.
Scoping
It involves taking decisions regarding the machines, systems and network to be used, the operational requirements and the people involved.
The results
The form in which the end results will be presented is also discussed during the meeting.
Duration
Testbytes has different projects to handle at a time and therefore, it is necessary to allot the timing and duration for the penetration test so that the other works can also be done uninterrupted. Also, proper planning about the test duration will reduce risks of neglecting testing steps due to time constraints.
Documentation
Most of the information finalized during the meeting must be documented so that testers can use it in future. It must include the important steps and the expected outcome that the testers can refer to perform effective penetration testing.
An effective penetration testing involves the testers trying out illegal ways to determine the vulnerabilities. Also, the information gathered during the process is confidential. Therefore, it is necessary for the testers to sign certain legal documents before they start, to avoid trouble.
Collecting information and analysis
After planning and preparation, the next step is to gather information regarding the systems or networks on which the testing is to be performed. The online website of the targeted system is the best place to start information gathering. All these gathered information will be used during the later stages of penetration testing.
Engagement
There are many tools available these days to perform penetration testing. However, the judgement regarding the approach, tools, vulnerabilities etc. is done manually. A testing process is best done by using both automation and traditional testing process simultaneously.
Penetration testing must be performed in locations where there are no restrictions on ports or services by the Internet provider.
Application layer testing
The tester performs the testing process with regard to the different roles of the application. This involves the tester checking if the users can access the data that they are actually not allowed to access. Also, the developers must ensure that all the functionalities and application security have been set up before sending it to the testers so that they can perform the testing process effectively. In case the application uses a backend API, it has to be separately tested.
Network layer testing
Network layer testing can be automated since most of the protocols have been clearly defined and have standard modes of interaction. The testing tools can be used to determine misconfigurations and vulnerabilities and to identify a service or a software version. Testing automation helps to perform the tasks faster than when done manually. However, it does not work for the entire testing process. The testing tools help to determine the potential attack; however, it is up to the tester to interpret the vulnerabilities and act accordingly.
Segmentation check
Segmentation check involves the same testing process performed during the initial stages of network layer testing. During this step, the tester must ensure that:
- All isolated LANs do not have access into the CDE
- Each network segment isolated from CDE does not really have any access into the CDE
In scenarios that involve large number of network segments that have been isolated from CDE, using a representative subset for testing can help reduce the number of segmentation checks. The tester performs test on individual segments to make sure that all security controls are working as expected. In case it has been found out that the LANs have access to the CDE, the testers must try to limit the access or perform a complete a network layer penetration test to keep check on the access.
Access to cardholder data
In case the testers are able to access the cardholder data during the penetration testing process, the clients must be notified instantly. The testers must also document details of the data that was accessed and how it was accessed.
Post-engagement
After performing penetration testing, there are certain things that both the testers and the clients must do.
Remedial practices
There may be some vulnerability that is left undetected even after performing effective penetration testing. They occur mainly due to weak development practices or ineffective security controls. The testers will investigate the whole application to determine the hidden vulnerabilities.
Retest detected risks
After correcting the vulnerabilities that have been detected, the application will be retested to check whether the enhancements made still have the risk. If the retest is performed long time after the original test, it is important to perform a new testing engagement. Whether it is required or not can be determined after analyzing the quantity of changes that have been made after the original test.
Documentation
The testers document the changes that have been made during the test. This involves the new accounts created for testing and the tools installed by the testers to perform testing. These details will later be removed so that nobody can use it against the client organization.