11 Things You Need to Know About Penetration Testing For Your Product or Service

by Muhammad Najmi 2,988 views0

Penetration testing (pen testing) is a critical aspect of product development—whether your product offering is a software solution or a hardware device, testing for security gaps and known/unknown vulnerabilities is crucial to protecting your customers’ data.

Perhaps you’re a startup founder with a development background or an entrepreneur with a knack for the technical. Whatever the case, here are 11 things you need to know about pen testing to ensure that your products/services are safe for cyber attackers.

1. Penetration testing is a process of finding security holes before malicious actors do.

Source: nchenga / Flickr Creative Commons.

Exploits are constantly being developed to capitalize on known and unknown vulnerabilities in the system. Malicious attacker use exploits to penetrate system for various purposes and intentions: financial reward, fame/notoriety, political gain, corporate espionage, and more.

2. Penetration testing is different from vulnerability scanning and assessment.

Source: Tony Webster / Flickr Creative Commons.

Vulnerability assessment—or the identification and ranking of existing vulnerabilities—comes before penetration testing. The latter is meant to exploit vulnerabilities and defeat the security features of the system’s components. In the past, vulnerability assessments were typically done quarterly while penetration tests were carried out annually. Both, however, should be done after significant system changes have occurred, and these days—the more often, the better.

3. Penetration testing is a one type of software testing focused on computer security.

Source: Jason Corneveaux / Flickr Creative Commons.

Pen testers are essentially being paid to find security holes in computing systems—with significant accolades and recognition going to the person/team discovering previously unknown attacks utilizing so-called “zero day” exploits. Their challenge is determining how to access the system via unconventional ways, whereas software testers’ testing flow gauges the system according to how it should work.

4. Pen testing tools range from commercial enterprise software to free open source solutions.

Source: .::E1ement2048::. / Flickr Creative Commons.

An abundance of free, open source pen testing tools developed by the community or company-funded are available for download. In the latter case, firms will usually charge for customer support or offer a premium version of the tool for a price.

5. Common tools of the trade include Nmap, Nessus, and Metasploit.

Source: Florian Richter / Flickr Creative Commons.

A myriad of pen testing tools are available—but Nmap and Nessus are arguably the most popular for reconnaissance-based activities. Metasploit is another popular pen testing tool for cybersecurity information gathering, vulnerability scanning, exploitation and reporting, and more. For password-cracking, Brutus and RainbowCrack are both widely used.

6. Pen testing activities can be carried out both automatically and manually.

Source: William Warby / Flickr Creative Commons.

Automated tools have the advantage of speed, but manual pen tests are more effective at avoiding false positives, or non-vulnerabilities reported as vulnerabilities.

7. Pen testing can be accomplished from both inside and outside the organization.

Source: Ronald Sarayudej / Flickr Creative Commons.

Many vigilant enterprises run internal pen testing efforts as a sort of regular “audit” of corporate systems, with results cross-checked with external pen testers.

8. Two types of of pen testing exist: grey-box testing and black-box testing.

Source: thierry ehrmann / Flickr Creative Commons.

Grey-box testing is carried out with limited information regarding the structure of the system to be tested, while black-box testing is done without any knowledge of the system. In many cases, systems need to be tested through the lens of a normal user; in these cases, grey-box testing would be appropriate.

9. Pen testing is often required to adhere to compliance standards and regulations—especially when it comes to e-commerce functionality and online payments.

Source: Blue Coat Photos / Flickr Creative Commons.

Adherence to PCI DSS—or the Payment Card Industry Data Security Standard—is mandated by the five major credit card companies. PCI DSS has strict security requirements for organizations that process, store, or transmits credit card data online, and in many cases—proof of periodic pen testing is required for certifying/validating a system.

10. Pen test processes allow for various attack vectors to be used against the same system.

Source: David Mulder / Flickr Creative Commons.

Pen tests are effective at identifying ongoing security gaps because they combine various data points and vulnerability information across different systems to compromise a specific target.

11. Pen testing is often carried out after a security incident to determine its cause.

Source: Tony Webster / Flickr Creative Commons.

In order to facilitate forensic analysis, firms often use pen testing efforts to recreate attacks and replay the sequence of events. This gives them the necessary insights to improve the posture of the orgazation’s security chain.

2016 was a record year for data breach incidents, and cyber attackers aren’t slowing down in 2017. For this reason, pen testing should be an integral part of your product development strategy; without these security mechanisms in place, you could be placing your company—as well as your customers’—well-being at risk.



Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>