Can you explain what “penetration testing” is and when it should be performed?
Penetration testing is the art of probing an application in a holistic manner, seeking vulnerabilities which would allow a malicious user to threaten the security of that application. As a quick reminder, security in its most basic form can be summarized as confidentiality, availability and integrity. With the number of data breaches around the world, most organizations tend to fixate on confidentiality, but availability and integrity are also critical pieces.
Many security experts tend to focus on penetration testing of network layers alone, but this is insufficient. As hackers have moved up the stack, they’ve become more complex. Rather than attacking a network in search of open ports, they have begun injecting their attacks into otherwise-valid Web traffic. This is reflective of two things: 1) most companies are locking down their networks and closing holes traditionally exploited to violate security, and 2) the real money is in harvesting and reselling data, which is best accessed from the Web application. So the traditional model of “hacking” a network no longer applies, and as a penetration tester you must develop an understanding and an expertise in testing both the network as well as the application. However, don’t underestimate the importance of testing the network. An open port is like an unlocked door, and even though it’s rarely available to them, a good hacker will always start with the basics. So your penetration testing should definitely include probes of the network layer.
Penetration testing the application is best done in a methodical approach -- here, the OWASP Top Ten is very helpful. It identifies the top ten vulnerabilities based on worldwide experience and exposure. Become proficient in testing for these top ten vulnerabilities, and leverage them against your application. Work this into the manual testing portion of an OWASP Application Security Verification analysis of your application, to ensure broad coverage of your application’s security.
The best time to perform this testing varies from team to team. It’s somewhat a function of the team’s lifecycle, and somewhat a function of application and resource availability. There are some key exercises which can be performed throughout the lifecycle. For instance, during design mode, conduct a threat model. Identify components of the application, determine when data crosses trust boundaries, and evaluate the conditions under which the data moves (authentication, authorization, data sanitization, etc.). Some application penetration testing can take place during the implementation phase. When an application component is deemed “code complete,” the test team can step in and begin an OWASP evaluation of that component. Performing a wider network and application analysis may need to wait until the customer acceptance or even deployment phases of a project -- no matter what, your deployment phase MUST end in validating configuration settings are correct. There’s nothing worse than accidentally leaving a door unlocked in your application because a network or deployment engineer forgot to enforce SSL on an ecommerce application.
This was first published in March 2011