Many companies without own security department or competencies ask what penetration testing is and why it is needed. First of all, I propose to sort out the question – what is it all about?
Penetration testing is a type of testing that helps to identify the weakest points in the infrastructure of a potential victim or client (you can call it anything), which later can lead to such things as:
1. Leak sensitive information
2. Compromising infrastructure with data leakage
3. Loss of access to systems
4. Denial of service systems
5. Many other terrible consequences …
In addition to the ability to assess the level of infrastructure security, penetration testing is also one of the key requirements for various types of standards, including PCI DSS, HIPAA, GDPR, etc.
Types of penetration testing
Penetration testing can be as following:
- Black Box model – offender have zero knowledge about target except company name or website url for example.
- Gray Box model – Here offender may have some understanding and knowledge about systems, IP addresses and possibly have credentials to access application/portal. In case if this is agreed pentesting activities and registration process is closed within application – customer may provide security engineer with credentials.
- White Box model – when we know almost everything, have specific targets list, optionally credentials or access to the internal network.
Each of the above approaches will help identify specific security issues and find vulnerabilities, they are all very effective and mostly depends on customer’s requirement.
If speak about bug bounty programs – there applied mostly something mean between black and gray box as companies usually provide some information on target systems of interest, provide some requirements for bug hunters as well.
Penetration Testing Effectiveness
Nowadays many companies may mistakenly perceive conventional automated scanning under the term penetration testing. As of what we known – automated scanners can identify really lots of vulnerabilities however the problem in most cases falls on logic. Automated solutions can not fully security test the logic of application, how should it work, that’s why penetration testing is still popular and gives better results.
The most successful is the 20/80 combination, when 20% of the work is automation (mostly data collection, analysis of the types of software used, vulnerability assessment process with launching of automated security scanners), and the remaining 80% is the execution of an attack and mostly manual approach. In this case we’ll see most effective results without false positive issues and detailed report.
Also possibility to find more vulnerabilities and discover some new is much higher while you working manually and do not rely only on automated security solutions.
Why Vulnerability Scanners are so popular
Vulnerability scanners (like Acunetix, Nessus, IBM AppScan and others) for web applications and infrastructure of course will be popular as they can be used during the process of penetration testing as well, as for regular vulnerability assessment process. They may help to gather information much faster and reveal some common vulnerabilities in the target system or application.
So what should I do: Vulnerability Assessment, Penetration Testing or just scan my website with vulnerability scanner ?
Actually, all those methods can be applied and everything here depends on your real needs and budgets. Most expensive way will be to combine all of this, next – penetration testing, than vulnerability assessment and in the end – just buy licence for some scanner and execute several scans on your web application.
If you not sure what exactly you need or just want to buy licence for vulnerability scanner – you can just contact us for free consultancy and we’ll answer on all your questions, also we’ll be able to help you with such services like penetration testing or vulnerability assessment, or even help to install and properly configure any automated vulnerability scanning solution.
In conclusion we would like to point out that neither penetration test nor vulnerability assessment and any other kind of security solution may not help you at all if not apply those solutions and techniques in time, imply security policies and some other procedures.
We are always open for any kind of questions to assist you in making your application or even infrastructure more secure!