“Penetration test” is a term that we, as security professionals, use every day. But we sometimes forget that not everyone knows what it exactly means, and why we perform penetration testing.
Let’s take a few minutes to review what it is, by answering simple questions.
Who performs a penetration test?
A penetration test (also referred to as “pentest”) requires quite a big set of skills, to quickly understand the logic of a web application, cover all possible attacks, cover the whole surface of the application, provide good technical recommendations to fix vulnerabilities…
In an ideal world, a pentester would be someone with a developer background, knowing quite a good variety of languages and systems. But above all, it must be someone working with a real methodology, trained and experienced.
Being able to test the security of a website requires a different approach than QA testing. QA testers ensure the application works properly, pentesters try to do whatever it possible, the worse, the better.
What is tested during a web penetration test?
A web application? Yes, but that’s not enough. Penetration testing can be applied to a lot of things, even outside of the IT world, so we must define the boundaries of the test.
What will be typically tested during a web penetration test is:
- the web application itself (desktop app or mobile app).
- the web server configuration (available services)
- webservices, API, and more generally all kind of services linked to the web application and accessible from the Internet
A penetration test contract usually defines (in the case of a grey box pentest) a domain to be tested, or IP address. We also agree on out-of-scope portions of the application that must not be tested, whether it’s because they’re managed by a third party company, or for any other reason.
A penetration test is different from a vulnerability assessment: a vulnerability assessment looks for vulnerabilities, where a penetration test exploits the vulnerabilities to look further into potential attacks and damages.
How is a penetration test performed?
Penetration testers use many things during a web application pentest:
- their skills! sounds obvious, right.
- many tools, developed by third party companies, each of which being used for specific needs and cases
- scripts and tools developed internally, for the convenience of the pentester, and to complement tools available on the market
Although it’s not the case in every pentesting company, a strict methodology must be followed throughout the course of a pentest, to ensure everything is covered, and that a maximum of vulnerabilities is found.
Where does a penetration test take place?
Depending on the type of test, it can be performed either in the client premises, or from the pentesting company offices.
If the web application cannot be tested from the outside, then the pentesters will have to do it locally. The same scenario occurs if a deep interaction with the web application developers is required.
When should we perform a penetration test?
Some companies never run a penetration test… until they got hacked and start realizing it should have been done.
Doing it before it’s too late, OK, but what does it mean?
- For a new web application
- When a new release of a website goes live (ideally before it is live…)
- After major changes to an existing application
- On a regular basis, to ensure new attack techniques cannot be used
Penetration testing is only a component of a full web application strategy. That strategy must be thought, planned, tailored to the company.
Why do we do penetration testing?
Because we love doing it!
More seriously, the goal of penetration testing is to find a maximum of vulnerabilities and fix them before the bad guys find them and exploit them.
The risks are too high to ignore web security and although security must be kept in mind during the design of web applications, running a penetration test is the only way to get a clear picture of how you stand.