Penetration testing (otherwise known as pentesting, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: "What could a hacker do to harm my application, or organisation, out in the real world?".
An effective penetration test will usually involve a skilled hacker, or team of hackers. You purposefully ensure that the hacker(s) don't have access to any source code, and ask them to try to gain access to your systems. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name. The level of access you give an attacker depends on what you are trying to test.
To give a few examples of penetration tests you could run:
- You could give a team of penetration testers a company's office address, and tell them to try and gain access to their systems. The team could employ a huge range of differing techniques to try and break into the organisation, ranging from social engineering (e.g. asking a receptionist if they can take a look in a computer room to run safety checks, and installing USB keyloggers) through to complex application specific attacks.
- A penetration tester could be given access to a version of a web application you haven't deployed yet, and told to try and gain access or cause damage by any means possible. The penetration tester will then employ a variety of different attacks against various parts of the application in an attempt to break in.
One thing which is common amongst all penetration tests, is that they should alwayshave findings. There is no perfect system, and all organisations can take additional steps to improve their security. The purpose of a penetration test is to identify key weaknesses in your systems and applications, to determine how to best allocate resource to improve the security of your application, or organisation as a whole.
- They can give security personnel real experience in dealing with an intrusion. A penetration test should be done without informing staff, and will allow an organisation to test whether its security policies are truly effective. A penetration test can be imagined much like a fire drill.
- It can uncover aspects of security policy that are lacking. For example, many security policies give a lot of focus to preventing and detecting an attack on an organisation's systems, but neglect the process of evicting an attacker. You may uncover during a penetration test that whilst your organisation detected attacks, that security personnel could not effectively remove the attacker from the system in an efficient way before they caused damage.
- They provide feedback on the most at risk routes into your company or application. Penetration testers think outside of the box, and will try to get into your system by any means possible, like a real world attacker would. This could reveal lots of major vulnerabilities your security or development team never considered. The reports generated by penetration tests provide you with feedback on prioritising any future security investment.
- Penetration testing reports can be used to help train developers to make fewer mistakes. If developers can see how an outside attacker broke into an application or part of an application they helped develop, they will be more motivated to improve their security education, and avoid making similar errors in the future.
So if your organisation isn't already using regular penetration tests to test the security of its systems, applications, and the organisation as a whole, why not? Your first few penetration tests will probably deliver some shocking results, and highlight that your organisation is much more vulnerable to attack than you ever predicted.
(by Alan Pearson / securityinnovationeurope.com)