Penetration Testing
Penetration testing, often referred to as pentesting, is the art of testing a system to find weak points that can be exploited and the risk these weaknesses pose to the owner of the solution.
Security testing and pentesting have many similarities, but while approaches like DAST primarily focus on web applications and more automated tests, a pentest is more comprehensive and typically also includes underlying infrastructure and networks. In some cases, it may also have a physical element where pentesters will attempt to gain access to premises to uncover weaknesses in physical security or routines.
A penetration test will always have an agreed scope that regulates what the pentesters can do, when they can do it, and which resources and services they can test.
Why Pentest?
It is not possible to prove that a solution is secure, only that it is not vulnerable to certain attacks. If delivering a solution that has strict security requirements or operates within an agreement that dictates it, a pentest is a useful tool to ensure that the solution and its surrounding environment are secure.
After the testing is completed, a report will usually be delivered that describes what was tested and how, as well as an assessment of all findings. In some cases, findings may be described as vulnerabilities, but these do not necessarily need to be addressed due to other mitigating measures or because the risk or consequence is low.
What is Required to Conduct a Pentest?
First and foremost, you need one or more pentesters. This is not something you do on your own after watching a few videos on YouTube! A pentest requires expertise in several areas, as some attacks depend on exploiting multiple vulnerabilities that are not particularly serious on their own.
As a development team, you must ensure that the environment to be tested is properly identified so that everyone understands where the testing is taking place. The scope of the test must be defined - remember that it must be possible to distinguish an actual attack from a pentest if both occur simultaneously: If you see signs of an attack on an environment that is not part of the test and you have segregated your environments, you should take action!
As part of the planning, it is important to check with the customer what routines they have for pentesting. In many cases, they will have a Security Operations Center (SOC) and/or a Network Operations Center (NOC) that continuously monitors the infrastructure. These must be part of the planning to avoid misunderstandings or problems when the test begins.
In some cases, it is desirable to conduct a pentest without notifying anyone, as you want to see if such a test is detected - remember that a pentest is, in practice, an attack.
When to Conduct a Pentest, and What to Do While It Is Ongoing?
In a perfect world, you should conduct a pentest with every major change, but this is not feasible except for a few actors with special requirements. Each customer will have different requirements and expectations, so it is important to establish guidelines for this before planning to conduct the test.
If the test is announced in advance, it is a great opportunity to monitor logs and other monitoring tools to see if you notice anything unusual. If you can correlate this information with the tests reported afterward, you have a good opportunity to create automatic alerting routines that detect deviations from the norm.
What to Do After a Pentest?
When the team receives the report after a completed test, it is important to review it with the product owner. Always remember that security is never the responsibility of individuals alone - it is the delivery manager's responsibility to ensure that security measures are implemented, but it is the team's collective responsibility to ensure that what is built meets the set requirements.
Identified findings must be classified and added to the backlog. Then, the findings must be assessed against the importance of addressing them; some findings can wait, while others must be addressed as quickly as possible. This will vary from delivery to delivery and finding to finding.
You should never conduct a pentest yourself unless you know very well what you are doing. It is not allowed to run tools used in connection with pentesting on Bouvet machines or in Bouvet's network without this being cleared with Intern IT & Security in advance.