Penetration Testing, often abbreviated to PenTesting, is a method of testing the security of a system through attempting to discover and actively exploit vulnerabilities within the system. It is amongst the most effective methods of determining the actual risk posed by a system. This is due to the fact that the risk of present vulnerabilities is not estimated but they are exploited to determine how much leverage they would offer an attacker.
When people first hear that description, it may sound to them that this is a potentially risky approach to determining security risk, as “active exploitation” may sound quite extreme, but the truth is in most instances the risk of security testing of this nature is very low, as long as the assessment is well planned and performed by an experienced tester.
Typically when speaking about automated security testing, you would be discussing vulnerability scanning. Whilst automation allows the price of vulnerability scanning to typically be much lower than manual security testing such as Penetration Testing, it is often less effective.
That doesn’t mean that vulnerability scanning is ineffective, the fact that it is cheaper and automated often allows for it to be performed more regularly in comparison to manual Penetration Testing. However, generally PenTesting does find more security vulnerabilities when compared to scanning, and is generally more accurate in grading those risks due to being able to demonstrate the leverage they offer.
Additionally there are certain classes of vulnerability (such as Business Logic Issues) that are very difficult to find in a purely automated manner, and manual penetration testing may be the only suitable approach for that small number of issues.
Penetration Testing can cover internal company networks, external (internet-facing) infrastructure, web applications, mobile applications, and more.
As penetration testing is typically the most effective security testing mechanism for determining vulnerability depth, almost all systems and organisations would benefit from this approach. However, depending on the complexity of the application and how frequently it receives updates this may significantly reduce the length and frequency of testing that is needed. Most organisations should perform penetration testing at least annually – however a lot can change in a year, so alternative approaches such as continuous security testing may be better suited to a lot of organisations.
The key first step to penetration testing is the “Pre-engagement” meetings, where the customer can discuss with their testing the type of approach they would most benefit from, what the focus of the assessment should be, and how the engagement will be delivered (such as testing being required to be out of hours, or requiring progress reports during the testing). This should include exactly what is in and what is out of scope for testing.
At this point you should be introduced to the actual tester who is performing the engagement, and should exchange contact details should questions arise during the testing or should the testing need to be stopped on short notice for any reason. The customer should ensure that a primary contact is available through the testing window should any critical vulnerabilities that need immediate attention be discovered.
Akimbo’s approach to security testing is a little different, we continuously update our Security Testing Platform during the engagement so that you can see vulnerabilities as they are discovered and you can communicate with the tester throughout the engagement. This allows you to keep an eye on the engagement if you would like and to see progress made, even if you have required work is conducted out of office hours.
During the engagement, from the customer’s point of view it can seem like not a lot is happening. A lot of penetration testing companies will firmly split “testing” and “reporting” into two phases. This simplifies delivery for them as it allows the tester to focus on finding as many security vulnerabilities as possible and leveraging them to see how far they can go. The problem with this approach is, for the customer things can get very quiet.
To keep up to date on what’s happening with the engagement, some customer request a daily “debrief” of the activities that have taken place that day and any major findings.
Once the engagement is over, and all of the issues have been discovered. The final stage is reporting. Many penetration testing companies typically have a ten working day turn-around time for a penetration test report. These are often delivered as an encrypted PDF over email.
Akimbo have a different approach here, we add the details of the issue to our Security Testing Portal as soon as they’re found. You can even select to be notified through text or email via the platform for critical vulnerabilities. You can also discuss each finding with the testing team, if you have any questions or need any further detail to understand any issue. Security Testing Reports can be downloaded at any stage of the engagement, and new findings will be added within 24 hours of confirmation by the tester. When an issue is fixed, retesting can be requested through the portal and retesting simple issues will not incur a charge.
A key aspect of penetration testing is retesting. Once all security issues have been resolved it’s critical to ensure that a retest is conducted to confirm the attempted fix was successful. Therefore when engaging with a penetration testing firm it’s key to ask how quickly retesting can be performed and if there is a cost associated with retesting. Whilst finding vulnerabilities can be incredibly time consuming, resting some vulnerabilities can take only a few minutes – so it would be frustrating to have to wait weeks and pay a full day-rate to check a few issues are remediated.