Penetration tests are an essential component of an effective, pragmatic, and mature security strategy, whether we are discussing an organization, IT infrastructure, or specific environments, systems, or applications. Properly conducted penetration tests can effectively verify their security status. In today's article, we will shed some light on the methodologies for conducting penetration tests and the related issues.
How to Conduct Penetration Tests?
When conducting so-called "pentests," various standards and methodologies can be applied. They depend on several variables and determinants, which define which one will be best suited to ensure the quality of work aligns with the estimated time and fulfills the expectations. Therefore, the first step in conducting penetration tests is determining the time consumption and objectives that need to be achieved. Reasons may vary, from sectoral or legal requirements to client expectations, industry standards, or increasing organizational security. Regardless of whether it is a single system, environment, application, or the entire infrastructure, the client must analyze both the requirements and the next steps depending on the report results. Each penetration test report identifies vulnerabilities, anomalies, or security gaps that require a response from the client. These could be simple patches but may also require more extensive and time-consuming tasks that could involve several teams. Sometimes, a third party or client will require not only confirmation of penetration tests but also evidence that the vulnerabilities identified in the report have been addressed.
Penetration tests should be conducted in an isolated environment, free from factors that might destructively affect its operation and from production use. In short, it involves creating conditions for the penetration testing team to perform planned tests over a specified period. Their progress, depending on the specifics of the tested target and assumptions, may affect its stability. Therefore, it is not recommended to conduct penetration and functional tests simultaneously in the same environment, nor to update software versions during the tests. It is crucial that the version of the tested application or system is as close as possible to the one already operating in the production environment (or higher, if tests are conducted before releasing a new version).
Penetration Testing Methodologies
Three basic testing methods are widely accepted:
The first involves conducting tests with little or very limited knowledge of the target. For example, a pentester knows only the domain or IP address where a web application is located. The second and third methods involve conducting tests with partial or full possible knowledge of the tested object. The penetration testing team already has access to the application, including various access levels, knowledge of its business functionalities, and access to documentation or source code (this applies only to "White box" tests).
From the outset, this allows the client and the team performing the penetration tests to define scenarios and refine the form of their execution. Whether they are to be conducted fully automatically using a selected vulnerability scanner, manually based on the best knowledge and experience of the pentesters, or hybrid, depends on the client.
Methodologies are also somewhat standards that define and support the conduct of penetration tests. They differ not only in purpose but also in the type of use. For example, the OWASP Testing Guide is intended for testing web applications, while PTES (Penetration Testing Execution Standard) and OSSTMM (Open Source Security Testing Methodology Manual) are universal. Corporate clients or government entities may require penetration tests based on the NIST SP 800-115 standard, which is also universal but more detailed and covers a broader range of testing techniques.
For web and mobile applications, it is considered essential to conduct penetration tests in compliance with and based on the guidelines of the OWASP organization. Besides the Testing Guide, OWASP also provides its own Application Security Verification Standard (ASVS) for web and mobile applications. It is a set of basic security requirements and recommendations that should be implemented in applications. They are an excellent starting point for auditing and verifying security based on three application categorization types. These are determined by the application’s purpose and use in a given sector (e.g., medical, financial, government, etc.) and the type and sensitivity of data processed in it (e.g., personal, financial data, etc.).
The OWASP organization also periodically releases a top 10 vulnerabilities list to raise awareness and highlight the importance of the most critical vulnerabilities that should be considered when building and developing web applications.
For testing environments based on systems and networks, not necessarily web or mobile applications, standards such as NIST SP 800-115, PTES, and OSSTMM will mainly apply. For larger organizations, NIST and the ISSAF (Information Systems Security Assessment Framework), which focus on a detailed and comprehensive testing approach, will be more applicable. In contrast, PTES and OSSTMM are universal and more pragmatic regarding tested environments.
Classification of Identified Vulnerabilities
Exemplary penetration tests involve well-chosen objectives, expectations, methodologies, and standards. They also include the appropriate classification of identified vulnerabilities, which best specifies how a given threat can affect the client’s application, system, or business and the likelihood of occurrence. Skillful classification of vulnerabilities allows a company to prioritize them effectively toward mitigating the threat, patching vulnerabilities while maintaining the previously adopted software development cycle, and managing changes in the product or infrastructure.
Vulnerabilities that are misclassified through underestimation or overestimation of their occurrence risk and the threat they pose can cause unnecessary confusion and potential financial losses due to shifting planned tasks and projects.
In penetration tests, the CVSS (Common Vulnerability Scoring System) classification is standard, a scoring system for specific factors affecting security. It determines the impact of vulnerabilities on confidentiality, availability, and integrity in the tested application or system, as well as the complexity of conducting an attack. CVSS is characterized by universal use and is recognized in the common classification of threats in applications and systems. Another frequently used classification is the OWASP Risk Rating Methodology, which, due to its application in web applications, is limited to other tested areas (e.g., systems).
Penetration Testing is a Demanding and Continuous Process
Determining the requirements and needs of the organization ordering the tests is crucial to appropriately selecting the penetration testing methodology and defining the standard they should closely follow in execution. Cyclical penetration testing is a continuous process that requires ongoing oversight of application or system development on the client’s side, translating into skillfully defining goals and expectations.
Awareness of the selection of methodologies and standards for conducting penetration tests, along with the classification of identified vulnerabilities, is necessary to fulfill the objectives the client faces to maturely develop the security strategy for their business.