LAIKA UNIVERSITY

Penetration Testing

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white hat” penetration testers using strategies and tools designed to access or exploit computer systems, networks, websites, and applications.

A penetration test (pentest) simulates a cyber attack against your systems to check for any exploitable vulnerabilities. Conducting a penetration test with a 3rd party helps discover vulnerabilities in applications that are susceptible to code injection attacks.

Testing methods include:

External testing, e.g. web application, website, the domain name server (DNS)
Internal testing, e.g. malicious insider, phishing attack
Blind testing, where the tester only gets the enterprise name
Double-blind testing, where the business has no knowledge before an attack
Targeted testing, when the tester and security work together and give each other feedback

A third-party penetration test is composed of the following requirements:

Categorize vulnerabilities based on the severity
Generate a report of results and areas for remediation
Conduct penetration tests on at least an annual basis

Additionally, banks may require the following:

Do you perform network/server scans and penetration tests, using reputable products, to identify security gaps?
Is regular static code analysis, vulnerability assessments and penetration tests conducted, to ensure that at a minimum there are no un-remediated OWASP Top 10 vulnerabilities?

SOC 2 Questions and Requirements

As penetration testing relates to SOC 2 requirements, our team uses the question and control below to help customers prep for audit.

Question: Please provide the results from all network scanning and testing performed within the past 12 months. This includes all internal and external vulnerability scans and penetration tests.

Requirement: An organization should perform application penetration tests or ethical hacking of proprietary web-facing applications. Industry standards such as OWASP should be utilized as a foundation for detecting vulnerabilities in the applications, and measuring the effectiveness of the application security controls in place.
Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed.

Penetration Testing Scope

Penetration tests will cover the following:

Security of internet channel
Security of cookies
Password auto-completion prevention
Multiple X-Frame options detection
Cross-site scripting
Cross-domain source file inclusion
Anti-mime sniffing
Credential hacking
SQL injection
Banner grabbing
Port scanning
Known service vulnerability tests
Fuzz testing

Approaching Pentesting

Gray, white and black box testing varies across companies conducting pen tests.

Why are Pentests expensive?

Primarily, the scope. Number of external endpoints, API’s, IP addresses, density of configurations to be reviewed, scoping of depth of application testing, scope of source code review, scope of internal testing regarding containers, kubernetes, data stores, etc. All of these add up quickly and can bring considerable costs.

Different Approaches

Gray, White and Blackbox testing varies across all companies who conduct pen testing. You have to flesh out tools, techniques and coverage for each. Re-testing and time for remediation / mitigation also plays into the cost factor.

Black Box

No data is provided to the tester or company conducting the testing.
Most closely represents a true real world scenario.

The attacker attempts to find holes and/or exploitable weaknesses in applications, architecture, configurations, API endpoints, and humans (via social engineering) to gain access to the environment. Depending on the testing scope, black box testing is usually the most expensive option.

Gray Box

Supply a tester with limited data. In most cases, only a set of login credentials is provided.
Strikes a balance between depth and efficiency.

As most real world scenarios include the attacker doing reconnaissance, a greybox test can be efficient and authentic. Depending on scoping, gray box testing can be a balanced cost option.

White Box

Includes full disclosure of network and application architecture, IP addresses, and credentials.

The test fully simulates a targeted attack with almost no system disruption. Depending on scoping, white box testing is usually the lowest cost option.

Pentest Costs

Penetration tests are priced based on scope. This includes variables like

the number of external endpoints, API’s and IP addresses,
the scope of configuration density,
re-testing, time for remediation and mitigation,
depth of application testing, and
source code review.