5 Approaches to Your Pen-Test Program

Penetration testing is an authorized simulation of real-world attacker techniques, used to hunt for and highlight vulnerabilities in your networks, applications, and devices. This is done by testing in a controlled environment without compromising routine business activities. There are many forms of Penetration Testing services, including External Penetration Testing, Internal Penetration Testing, Web Application Security Testing, Mobile Application Security Assessment, Wireless Network Security Assessment and Cloud Penetration Testing.

In this blog, we look at some of the necessary penetration testing security testing approaches. Starting with a look into what is Secure Code Review, followed by an observation of Web Application Security Testing, Network Penetration Testing, Cloud Penetration Testing, and Red Team Penetration Testing.

1. What is Web Application Security Testing?

Web Application Security Testing is used to identify vulnerabilities and safeguard against threats, by identifying possible vulnerabilities that could lead to attacks like SQL injection, cross-site scripting, I/O data validation and exception management.

Applications such as heavy client web-based mobile apps, or micro services, exposed over the internet are arguably one of the easiest entry points for an adversary. This is because it is easy to stay hidden when acting as a legitimate user and perform malicious activities.

These applications will have functionalities and other connectivity’s which run dynamically, making it a focal point to perform security assessments.

To identify and safeguard against these threats, use a 6-phase approach to Web Application Security Testing

1. Engagement
2. Reconnaissance
3. Scanning
4. Vulnerability Assessment
5. Exploitation
6. Reporting

These assessments should be performed against OWASP Application Security Verification Standard Project (ASVSP) Guidelines covering SANS 25, OWASP Top Ten and all threat classes from Web Application Security Consortium (WASC).

The advantage of performing a Web Application test, before production deployment, is that it is application focused and overcomes the shortcomings of code review capabilities. Business logic vulnerability verification, Vertical and horizontal Privilege escalation testing for different roles and False positive validation using industry standard DAST tools are a crucial part.

2. What is Network Penetration Testing?

Network penetration testing uncovers the exposure of an organizations assets, and attacks where an adversary aims to gain unauthorized access to systems.

Network Penetration testing can be carried out from the position of an internal or external attacker trying to gain access to the network and can involve active exploitation of security vulnerabilities and misconfigurations based on industry standards such as NIST, OSSTMM and PTES.

Wireless access points can also be considered to fit in this assessment, due to its nature of exposure. The difference in this type of assessment is that it is not specific to code or application functionality, but all the services exposed by an organization increasing the attack surface.

SecurityHQ uses comprehensive testing methods and tools while performing network penetration testing, to get the best results

3. What is Cloud Penetration Testing?

We have seen a massive adoption of cloud technologies across various business verticals, which brings in the need to divert the focus of traditional penetration testing to a cloud system specific one.

The scoping of cloud penetration testing differs based on the type of service (PaaS, SaaS, IaaS) being acquired by the organization. As per Gartner, top cloud vulnerabilities occur due to security misconfigurations, most commonly IAM misconfigurations and exposed S3 buckets. For more on this, read this blog on Compromised AWS S3 Buckets .

4. What is Red Teaming?

Red Teaming aims to simulate real-life attacks using a combination of several attack methodologies. The approaches are to simulate an external adversary and perform social engineering covertly to gain initial access to an internal system, or as an internal attacker to perform an adversary simulation to gain unauthorized access to sensitive IT systems, active directory, business sensitive application/database.

This type of assessment is carefully scoped between a vendor and the organization, to test the resilience of the security controls tested and implemented using the above testing methods. Apart from the expertise required by any red teamer, MITRE ATT&CK framework is the most used knowledge base use for tactics, techniques, and procedures. For more on this framework, read ‘How the MITRE ATT&CK Framework has Revolutionized Cyber Security’.

5. What is a Secure Code Review?

In addition to Penetration Testing, Secure code review should be conducted in order to provide a more complete analysis/coverage.

Analysing the source code of applications is essential to detect existing security flaws or vulnerabilities. By highlighting these vulnerabilities, it is easier to implement remediation, design changes, and reduce the effort and costs involved later down the line. The approach to analyze the code usually involves the scanning of the code using the best tools, such as Gartner Magic Quadrant tools.

Once the source code is scanned, here we analyze for flaws such as logic errors, sensitive information, and check style guidelines against well renowned OWASP standards. Incremental code reviews are very effective but strictly at code level only.

Recommendations to Enhance Your Cyber Security

While it does enhance your cyber security posture, complying to certain standards does not instantly make you, your systems, or your people, secure. Not only do you need to make sure that you have the right security measures in place, but you need to follow the right approach to security, with the right people. Be selective about the vendor you choose, and build a long-term relationship with that vendor, to work together to gain better results that fit with your organisations profile and expectations.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.

Or, if you suspect a security incident, you can report an incident here.