How and where to start Penetration Testing
Penetration Testing
Penetration testing helps simulate behavior of a hacker through "White Hat" personnel, who injects malicious load or traffic into the system under test - to expose the vulnerabilities so that these observed vulnerabilities are resolved. This helps us to make the system robust from a security point of view.
In the current scenario where all websites and applications are increasingly exposed to a larger number of people, the risk of these applications getting hacked is even greater. White Hat hacker or penetration testers help prevent applications from such security threat.
Environment and Tools
There are several tools in the market which are useful for penetration testing but just knowing these tools is not enough. A comprehensive understanding of application and environment is required to be a competent penetration tester. The environment includes network, application flow, application architecture, access of application over web, browser interaction, protocols etc. Without in depth knowledge of this, simply using these tools is not going to suffice in security testing.
There are plenty of tools available for penetration testing, these include both open source as well as licensed ones.
Following is selected list of various tools used for penetration testing:
- Kali Linux
- Rapid7
- AppScan
- Nessus
- BurpSuit
- Metaspoilt
- Nmap
There are several tools which we can use for our specific tests, selection of tools will depend on various criteria such as:
- Operating System (Windows, Linux, Unix, etc.)
- Vulnerabilities to be tested (Application, web based etc.)
- Testing budget (open source tool, licensed tool, mixed approach)
- Network types to be scanned
- Devices to be scanned
Permissions to execute penetration testing
It is unlawful to put malicious payload or traffic into any network or system. Hence if this activity is to be conducted for legitimate purposes, for example penetration testing written permission is required from the owner of the system where penetration testing is to be conducted.
Project Management
Penetration testing needs to be treated as a project with well-defined steps / procedures. This will help us prepare for unplanned shocks. Timely planning will also help prevent scope creep and results can be used for later projects.
In a nutshell we can say that penetration testing is a necessity nowadays, even warranted by clients or government agencies. A thorough project management approach with initiation, planning, budgeting, resourcing, execution, and control phases need to be planned to make it a fruitful exercise.