The Standard Penetration Test

By Paladion

March 13, 2008

Most regulations in some form or the other recommend penetration tests. For example PCI Data Security Standard’s section 11.3 requires intended organizations to conduct annual or more frequent network & application penetration tests. The HIPAA security Rule’s section 8 of the Administrative Safeguards requires a comprehensive security evaluation program, which in implementation would consist of security process audits, periodic vulnerability assessments and penetration tests.
A typical security testing & evaluation program consists of activities like a network security audits, vulnerability assessments and penetration tests. Security Audits cover both security management processes and IT assets. The latter part of the security audit which covers IT assets is generally called a network vulnerability assessment. Now we come to the penetration tests and there are two broad types of penetration tests, the standard or network layer penetration test and the application layer penetration test.
The Standard Penetration Test may also be called a network layer or network penetration test or a black box test. It requires the bare minimum information about the targets, usually just the IP addresses of the systems to be tested. The testing is performed using a penetration testing tool kit which can involve well over 25 custom, commercial and open source tools. The testing though leverages tools has a very high involvement of a well trained and experienced security tester. The results of a penetration test will be free of false positives and false negatives. They will include very specific inputs on closing any holes in your external facing networks. Related tests include conducting the penetration testing on internal networks; between inter connected LANS and VLANS, on wireless networks, and penetration through social engineering techniques.
The Application Penetration Test may also be called an application layer or application security assessment or a gray box test. Such tests are applied to websites, web applications, thick client applications, mobile applications and software appliances. Unlike in the standard penetration test, the application penetration test requires significantly greater human expertise to create application threat profiles and custom test cases. The application layer vulnerabilities fall into two broad categories, the technical vulnerabilities like SQL injections, Cross Site Scripting and logical vulnerabilities that lead to illegal transactions and privilege escalation. By and large application penetration tests were targeted at critical web application or bread winning applications, but today with scalable solution offered on a SaaS platform combined with large testing teams, organizations like extend this level of testing across all their applications. Related tests include testing of thick client applications, mobile applications, software appliances and security code reviews of source code.

Tags: Uncategorized, gray box test, network penetration test, standard penetration test