Penetration Testing – Part 1: The purpose of the blog is to define objectives and scope of Penetration Testing in a project. In part one, I’ll provide an introduction and overview of Penetration Testing. Also, we’ll talk about the causes of vulnerabilities, why Penetration Testing is performed, testing scope and strategy, steps to be performed during Penetration Testing, testing techniques, roles involved in the testing and its limitations.
What is Penetration Testing?
Penetration Testing evaluates computer and network security by simulating an attack on software or the network from external and internal threats. A Penetration Test attempts to exploit the vulnerabilities to determine whether unauthorized access or any other malicious activity is possible that can be dangerous for the application.
Penetration Testing typically includes network penetration and application security testing. It also includes controls and processes around the networks and applications. Both external and internal traffic should be considered.
The general process tends to be that your systems are tested and you receive a report that highlights all the insecure areas that need attention, along with advice on how to fix them.
Causes of Vulnerabilities
- Design and development errors
- Poor system configuration
- Human errors
Why is Penetration Testing performed?
The goal of Penetration Testing is to find all of the security vulnerabilities that exist in the systems being tested. It is a good idea to be proactive and find out the threats to your application in advance. Penetration Tests are valuable for several reasons:
- Some industries and types of data are regulated and must be handled securely, such as credit card information, SSN, etc. In this case, your regulator should insist on a Penetration Test as part of a certification process.
- You are a product vendor and your client asks you to perform the Penetration Test on their behalf.
An application has already been hacked and the organization wants to determine if any threats are still present in the system to avoid future hacking attacks.
- Medical and health systems store patient’s confidential data, so to make sure that the data is secure; a Penetration Test is performed. In the USA, the HIPAA act ensures that patient personal and medical information must be kept secret and must only accessible by authorized and required authorities or persons. HIPAA violations may result in serious penalties.
Organization wants to perform Penetration Testing proactively to find out about prospective threats in advance.
It is very important for any organization to identify security issues present in their internal network and computers. By using this information, organizations can make plans to avoid any hacking attempt. Currently, privacy and data security are the biggest concerns. Organization can face legal issues due to a small loophole left in a software application. Hence, organizations look for PCI compliance certifications before doing business with third party clients.
Penetration Testing should cover all areas which are not public. An unauthorized user should not be able to access the restricted or private modules of an application.
Penetration Testing does not only cover the software or application, but also hardware and the network. Hence, Penetration Testing should cover the following:
Penetration Testing Strategy/Process
- Areas are identified before Penetration Testing is performed. This step involves an active analysis of the system for potential vulnerabilities. A person or team who has experience in Penetration Testing must be involved in the analysis.
- The environment (hardware and operating system) for Penetration Testing is finalized.
- Penetration Testing Strategy is developed to address the risks identified throughout the environment, once threats and vulnerabilities have been evaluated. All locations of sensitive data, all key applications that store, process or transmit sensitive data, all key network connections and all key access points should be included.
- Security vulnerabilities and weaknesses should be exploited by attempting to penetrate at both the network level and key applications. The purpose of Penetration Testing is to determine if an unauthorized user can access the key applications and files. The vulnerability should be corrected if unauthorized access is achieved. Penetration Testing should be re-performed until unauthorized access and other malicious activities are restricted.
- Security issues found through the Penetration Test are presented to the relevant stakeholders. Effective
- Penetration Tests will couple this information with an accurate assessment of potential impacts to the company and outline a range of technical and procedural contingencies to reduce risks.
- Penetration Testing should be performed on every major change, such as an addition of a new module or functionality.
- Penetration Testing should be performed until the system is not accessible from unauthorized persons.
Steps in Penetration Testing:
The following activities are performed to execute the Penetration Test.
1. Planning Phase
- Scope & Strategy of the assignment is determined.
- Existing security policies and standards are used for defining the scope.
2. Discovery Phase
- Collect as much information as possible about the systems including sensitive information.
This is also called Fingerprinting.
- Scan and probe into the ports.
- Check for vulnerabilities of the system.
3. Attack Phase
- Find exploits for various vulnerabilities. Please keep in mind that you will require security privileges to exploit the system.
- You can use cross-site scripting and SQL injection to find vulnerabilities in your system.
4. Reporting Phase
- The report must contain detailed findings.
- Risks of vulnerabilities found and their impact on business.
- Recommendations and solutions, if any.
- Manual Penetration Test
- Automated Penetration Test tools
- Combination of both manual and automated process
- The third technique is more common for identification of all kinds of vulnerabilities.
A project manager should consider Penetration Testing as a task to be performed by both developer and QA. The task is included in the estimation and planning. The project manager should conduct security audits to identify and correct the process flaws with other planned audits.Business Analyst
A Business Analyst must list security requirements requested by the client: if any. If there is no special requirements requested by the client, then the general practice required to secure the application to some extent should become part of the documentation. For example, if a website deals with online payments, then PCI Compliance should be followed. It should be clearly mentioned what should be followed to secure the data. Similarly, if the target application is a medical or insurance type, then HIPAA (USA Health Act) or SEA16 should be considered.
The following are some of the examples, which can be part of security requirements.
- Authentication data should be stored and transferred in an encrypted format. This will mitigate the risk of disclosure of information and authentication protocol attacks.
- The password should be encrypted using non-reversible encryption, for instance, HASH, and a seed to prevent dictionary attacks.
- Accounts should be locked after reaching a log-on failure threshold. Password policy should enforce the complexity to mitigate the risk of brute force password attacks.
- Generic error messages should be displayed upon validation of credentials to mitigate the risk of account harvesting/enumeration.
- Both client and server should be authenticated to prevent non-repudiation and Man in the Middle (MiTM) attacks.
Developers should follow the coding and development standards to minimize the risk of a security breach. An audit should be conducted to review the application design and code. The audit can be performed through peer review (formal audit) and should track back to confirm that the issues raised during the audit have been fixed.
The application code must follow coding techniques that include secure coding techniques, and developers should know about prevalent vulnerabilities. Generally, it will prevent future problems. Data corroboration including the use of check sum, double-keying, message authentication, and digital signature can be used to ensure data integrity.
Developers should include security testing in their unit testing activity to ensure that code follows the coding security standards. All the functions, methods, classes, APIs and libraries should be verified. The following controls/modules should also be part of the test.
- Authentication & Access Control
- Input Validation & Encoding
- Session Management
- Error and Exception Handling
- Auditing and Logging
The QA team should make the Penetration Test a part of their testing effort and planning. They should identify scenarios from the business requirements. Also, they should consider the scenarios that are generally applied to a web application.
The QA team should provide detailed information if they find any vulnerabilities or issues within the application.
Limitations of Penetration Testing
It is not possible to find all vulnerabilities in the system due to certain constraints, such as time, budget, scope and skills of the resources.
The following could be side effects when doing Penetration Testing:
- Loss and Corruption of Data
- System Down Time
- Increased costs