Penetration testing, or ethical hacking, is the process of using tools and techniques used by attackers to exploit vulnerabilities and reach information resource targets. This article at the InfoSec Institute provides a description of the top tools used for this.
Penetration tests are performed in two ways: during the testing phase of the SDLC and annually after implementation. Most organizations do not have the resources to pen test during the SDLC, nor can they afford to have a pen tester on staff. This requires engaging a third-party to perform these tests as part of an annual external review of security effectiveness.
Testers do not arbitrarily start attacking systems. They perform tests approved by management in writing. In addition to the tests to be performed, the test approval documentation should include test boundaries. For example, management might require the test to end once vulnerabilities are discovered without actually accessing sensitive data or adversely affecting production systems.
In the past, attacks stepped through the traditional attack steps, including
- Reconnaissance
- Scanning
- Gaining access
- Maintaining access
- Covering tracks
These steps are used to crack through perimeter defenses. However, most attacks today bypass the perimeter and leverage user vulnerabilities to enter our networks. Consequently, penetration tests must include attempts to use tools and techniques, including social engineering.
In addition to paying for formal pen tests, bug bounty programs are a good way to get hundreds or thousands of people looking for weaknesses instead of one or two. One company that coordinates these is https://www.bugcrowd.com/. Bug bounty programs aren’t just for Microsoft and Google. They are for businesses of any size that want the maximum number of eyes looking for weaknesses in websites or applications.
Would you recommend a bug bounty program for your organization in addition to or instead of a pen test? Why or why not?
You must be logged in to post a comment.