Penetration Testing

What is Penetration Testing?

Penetration Testing is an attack on one’s own software in a controlled manner to find vulnerabilities that a malicious hacker might exploit. A “pen test,” as its often known, is usually conducted by a third party that owns the software to better represent what the attacker knows and doesn’t know. However, in some high-risk scenarios, an internal group would know more about how to attack the system.

What is the purpose of penetration testing?

y acting like an attacker, a pentester provides a better view of the system’s security and reliability and gives a clearer picture of what avenues of attack an attacker might take. This provides a roadmap for the enterprise to secure the system. It is an act of “ethical hacking,” also known as “gray hat hacking,” where an individual with the appropriate skillset breaks into a computer system to make the system more secure. 

Why is penetration testing important?

Penetration testing (or “pentesting”) gives an enterprise an attacker’s view of their systems, which can differ drastically from the traditional “defender” mindset that can be blind to obvious attack vectors (including social engineering attacks). Pentesting a system can provide a more realistic assessment of the system’s ability to withstand attack, which can lead to considering additional defenses to protect those assets. 

Who are the key stakeholders?

In any pentest, several people must be involved for the exercise to be successful. 

• Security: Primarily, the enterprise IT security team must know the system isn’t really in danger because a competent pentester will appear and act like a real attacker. ITSec will likely have strong opinions about where and how the pentest is executed (either with full knowledge of the internal systems (“white box” pentest”) or without it (“black box” pentest). After the pentest, the ITSec team uses the findings to help secure the system against further attack, working explicitly with the pentester to make sure vulnerabilities are fully closed. 
• Executives: High-level executive support is often needed to secure the resources (scheduled time and money) for the pentest and to ensure the activity actually takes place. The Chief Information Security Officer (CISO) is usually the principal stakeholder in the pentesting exercise. 
• Developers: Developers may be consulted for information on how the system works or what servers are involved (in the case of a white box pentest) by the pentester before the activity. 

What risks are involved with penetration testing?

One of the risks new technology executives fear most is the pentester. “If we give them leave to hack our systems, how do we know they won’t suddenly turn on us and hold us for ransom?” While such fears make for good movies or spy thrillers, this happens rarely in practice, so long as the enterprise uses a reputable firm or consultant to carry out the pentest. It is a risk, however, and CISOs are encouraged to communicate with one another across company boundaries to find trusted hackers.

Typically the pentester attacks a running system, which is often in the production environment, and must take care to not accidentally damage or modify any of the production data or servers. For safety’s sake, it may be tempting to have the pentester attack an environment other than production. But if the environments aren’t identical, the pentest loses some of its validity. Even for the most conscientious pentester, “accidents happen.” (Also keep in mind that in some industries, the pentester even viewing production data could be grounds for regulatory action against the company!)

No matter how thoroughly the pentester tries to scan and explore the system, there is zero guarantee that the pentester has found every vulnerability in the system. Like any effort of its kind, the pentest can only describe the vulnerabilities found in the parts of the system that were tested. There is no guarantee that the pentester explored 100% of the system or found all the vulnerabilities in the parts that they tested. If a pentest comes back clean, don’t assume that there are no vulnerabilities. (This can be a hard realization for an ITSec team, who will want to celebrate at a clean pentest result.)

How does Azul help with penetration testing?

Azul Vulnerability Detection, a feature of Azul Intelligennce Cloud, focuses scarce human effort where vulnerable code is or has been used versus simply present, to help reduce issue backlogs. Intelligence Cloud retains component and code-use history, focusing forensic efforts to determine if vulnerable code was actually exploited prior to it being known as vulnerable. 

Inefficient prioritization of vulnerabilities & unused code wastes effort, hampers agility, and reduces developer productivity due to constant context switching and unproductive code maintenance tasks. Azul Vulnerability Detection is not another dashboard for 

customers to look at. Users can access data on which components are in use, and vulnerable, using either the product’s API or an intuitive UI. The role of the web UI is to show the information we have and guide customers to the REST API.