What is Penetration Testing?
A penetration test simulates the tools and techniques of an attacker to detect and exploit vulnerabilities. This approach conducted by a skilled professional helps you identify possible attack routes and securities vulnerabilities that may not be found from vulnerability assessments.
Penetration testing can be conducted from within your network to simulate insider threat or from the public internet to simulate an external hacker. And depending on your objectives, the assessment can be performed as an unauthenticated user (no login access) or with test user accounts.
To detect vulnerabilities in the operating system and commonly used software in servers and network devices.
To detect vulnerabilities at the application layer, usually for custom-developed web and mobile apps.
To detect vulnerabilities in the wireless network implementation within your organization’s premises.
Penetration Testing Process
Run scanning tools to analyze target and detect potential vulnerabilities.
Perform manual testing, verify vulnerabilities and attempt to exploit the target.
Analyze impact and severity of issues, and recommend corrective action.
Verify if previously detected vulnerabilities have been fixed adequately.
Frequently Asked Questions
What is the difference between black-box and grey-box testing?
Black-box testing simulates an unauthorized attacker with no user credentials i.e. testing without logging into the system. With this approach, system functions requiring authenticated access will not be tested.
Grey-box testing simulates an authorized but malicious attacker with user credentials i.e. testing by logging into the system. With this approach, system functions requiring authenticated access will be tested.
What is the difference between internal and external testing?
Internal testing simulates a malicious insider attack and is conducted from within the customer internal network and from a segment where the targets are accessible.
External testing simulates a malicious outsider attack and is conducted from the public internet without modification of customer’s perimeter defence.
What is included in network penetration testing?
Network penetration testing is focused on the services running on the network and is primarily concerned with vulnerabilities at the operating system layer and common software (e.g. NIST CPE) of the target hosts and devices.
What is included in application penetration testing?
Application penetration testing is focused on the functionalities of the application (including web API servers for mobile apps) and is primarily concerned with application layer vulnerabilities, especially the OWASP Top Ten Web Application Security Risks and OWASP Mobile Top 10.
What methodologies do you use?
We adopt the following guidelines for our penetration testing methodology:
- Penetration Testing Execution Standard
- OWASP Web Security Testing Guide
- OWASP Mobile Security Testing Guide
Specific testing procedures are executed based on the nature of the testing and environment.
What tools do you use?
We use both commercial and open source tools including Tenable Nessus Pro, Burp Suite Pro, Kali Linux, Metasploit, etc.