The big majority of attacks performed over the systems available via Internet are made in the application layer due to the easiness of launching an attack and the lack of app protection. For verifying the security of IT infrastructures an audit is carried out, but this action is insufficient in many situations in determining the ways an attacker can abuse and corrupt services or applications. Pentesting is the most efficient way of verifying the effectiveness of security measures because this will allow real time protection in case of an attack.
The pentests should be made as much as possible before launching the application in a productive environment, after the functionality and efficiency has been tested, in order to identify early on the vulnerabilities that could lead to an information leak, blocking the access to the application or total corruption of the systems.
In order to make a pentest successful the next steps should be followed:
- Planning and preparing
- Collecting and analysing information
- Detecting vulnerabilities
- The actual attack against systems
- Reporting and analysing vulnerabilities that were found
- Cleaning applications and systems
Approaching the tested infrastructure can be made in many ways according to the client objective, the only thing that is different between them is the information received from the client. In this way we can make three kinds of tests:
- Black box: simulate a real attack from outside based only on public information, with low aggressivity for detecting the sensibility and rate of detection by implemented security systems
- Grey box: the pentester has limited information from the client and the rest also from public source
- White box: the client offers inside information for the systems and application targeted or offers a copy of them, in a controlled environment, so the tests can be more aggressive and this way you can review each component even if they can be public accessed or not
A penetration test cannot offer you a complete overview over the system or network security, this being the main reason of tests made within a predefined period of time. The undiscovered vulnerabilities during the pentest or those that can appear after updates, the installation of a new software or reconfigurations of the system can lead to new security holes. This is the main reason that periodic pentests and security audits along with monitoring constantly are the most efficient ways to prevent security issues.