Learn What a Penetration Test Is
A penetration test is a special type of audit that falls into the large category of offensive security (sometimes abbreviated as “offsec”).
A penetration test is used to:
check whether a system is vulnerable.
understand how attackers can discover and exploit these vulnerabilities (and where appropriate, how quickly).
make recommendations to improve system security.
Most of the pentesting resources you’ll come across will be in English, as are the most important conferences on the subject, including DEF CON and Black Hat. InfoSec Conferences has a directory listing top cybersecurity events. Some countries hold events in their own languages.
The best hackers from all over the world attend these events! As in many other spheres, English is the common language when discussing and sharing experiences.
Understand the Benefits of Penetration Testing
Why do companies request penetration tests?
In a perfect world, nobody would need to do any penetration testing.
But here’s the thing:
We all make mistakes, whether we’re writing application code, configuring a system, or setting up a network.
Attack methods and techniques are constantly evolving: what is secure one day may become vulnerable the next.
Attack attempts are an ever-present reality, and many malicious individuals exploit weaknesses in systems to compromise them.
Consequently, any company developing or integrating solutions should—ideally—carry out a penetration test at least before go-live to ensure that their system contains no vulnerabilities that attackers could exploit.
So, do all companies conduct penetration tests?
No. However, those companies with a more mature cybersecurity posture have started to standardize their approach. You can be pretty sure that your bank’s application falls into this category.
On this point, we recommend listening to what Rawia Salem, IT engineer specializing in cybersecutity, has the say about this. She regularly commissions penetration tests because She understands how important they are for the company. This will help you understand a client’s point of view on pentesting and what they get out of it:
Learn About the Different Types of Penetration Testing
There have traditionally been three different approaches to, or categories of, penetration testing:
Black box.
Gray box.
White box.
These three approaches are easy to understand, especially in terms of their imagery: the darker the test, the less information you have.
Simulate an External Attacker With the Black Box Approach
In a black box penetration test, the pentester steps into the shoes of an attacker who has little or no information about the application, just a simple URL, the IP address of the target server, or the company’s showcase website.
The aim is to show the client what an attacker can do from the internet should the attacker decide to take a closer look at the application.
Simulate a Malicious User With the Gray Box Approach
The aim of the gray box approach is twofold:
To speed up penetration testing by giving the pentester more information.
To simulate the actions of a “malicious user”.
This approach tests the authenticated part of the application and detects problems linked to user-based access control. Typically, a gray box pentester makes use of one or more user accounts with different rights and security perimeters, to simulate different types of users.
If you don’t use the gray box approach, you run the risk of not testing an entire part of the application. It’s not uncommon to find a vulnerability in the authenticated part, or even in the part reserved for administrators (which would enable an attacker to take control of the server or extract data from a database, for example).
Maximize Coverage With the White Box Approach
The white box approach involves asking the client for anything that might provide information about the application: documentation, architecture diagrams, source code, and so on.
The aim here is no longer to simulate the work of an external attacker or malicious user, but to detect as many vulnerabilities as possible (within the allotted time) based on information that an attacker would never normally have access to. This is more akin to auditing.
So, are penetration testing and security auditing the same thing?
Differentiate Between a Penetration Test and a Security Audit
A penetration test does not address the security of processes and how these are organized and managed:
Are backups properly managed?
Has detection been properly implemented?
Are the various procedures documented and consistent?
An audit addresses all these questions. An auditor carries out (in addition to—or instead of—technical tests) reviews of documentation and interviews with developers, application owners, and operations managers.
Differentiate Between a Bug Bounty, a Red Team, and a Penetration Test
During a bug bounty, pentesters are paid for each vulnerability they find. In penetration testing, they are paid for the time they spend testing, regardless of the number of vulnerabilities they find.
The goals of a red team are more complex than those of a pentest (even though they require similar technical skills). A red team aims to gain access to the information system and retrieve admin rights or confidential data without being detected. This allows the company to:
see if attackers can get in.
if they can get in, see if they are detected.
if they are detected, observe the response to the attack.
A red team’s primary goal is to test the company’s response to an advanced attack.
Conduct a Web Penetration Test
In this course, we’ll be focusing on web penetration testing (i.e., penetration testing carried out on a web application). You’ll learn how to do this using the black box and gray box approaches. (We will not be covering the white box approach in this course, as it requires skills in code and architecture analysis.)
Let’s Recap!
A penetration test (pentest) is a time-limited exercise in which a pentester plays the role of an attacker with the aim of identifying vulnerabilities in a system or application.
There are several complementary approaches: black box, gray box, and white box.
There are a number of other activities that are related to penetration testing, but which meet different needs (such as a bug bounty or the red team).
Penetration testing is important because it can identify potential flaws and vulnerabilities, which can then be corrected to improve application security.
In this course, we’ll go through the different phases of a penetration test, from scoping to reporting. Together, we’ll also learn about adopting the right stance and asking ourselves the right questions. That’s exactly what we’ll be looking at in the next chapter!