Penetration testing examines the security of an environment from the perspective of a malicious source, and it can be an invaluable component of an organization's information security program. Typically, an application or environment is tested for potential vulnerabilities that may be the result of incorrect configuration, hardware or software vulnerabilities, or operational weaknesses in process or technical countermeasures.
There are many forms of penetration testing. One common type is black-box testing, in which the testing team is given no information about the environment architecture or composition prior to conducting the test. This approach is much like assessing a barn for cracks by walking around the outside; the large cracks or missing boards are most easily visible.
On the other end of the spectrum is white-box testing, in which the details of the application code, network device configurations, network and system diagrams, and/or account information are shared with the evaluation team before the test. This method is akin to assessing a barn for cracks by walking inside on a sunny day; the sun streaming inside the barn makes even the smallest hole easily visible.
Gray-box testing is somewhere in between; with this method, depending on the environment, the testers receive some internal detail as input to the test. The goal is to leverage existing information about the environment, such as API/application documentation and network diagrams, as well as work with developers and system administrators as necessary, to provide a much deeper analysis of the system. Often, a penetration tester will identify unusual behavior that a developer or system administrator can provide insight into immediately, allowing the tester to focus attention on other areas. This approach also provides more exact information regarding the location and/or cause of a vulnerability.
AppliedTrust’s certified security experts perform penetration testing across the spectrum of black-box and white-box testing. We customize each test based on the functionality/purpose of the application or environment and conduct them in an open, ethical way so the results can be trusted and your organization’s production environment isn’t unexpectedly impacted. Regardless of the type of testing, each engagement combines the use of automated tools with hands-on analysis by qualified engineers to produce a detailed, risk-based report with actionable recommendations for mitigation.
Web Application Penetration Testing
Many penetration tests either focus exclusively on a web application, or web applications are identified during the discovery phase of a network. Regardless of the scope, if a web application is identified during penetration testing, web application-specific attack vectors will be investigated. AppliedTrust leverages the OWASP Testing Guide and WASC Threat Classification as starting points for web application penetration testing. Once more information about the environment is identified during the discovery phase, architecture/language-specific testing vectors will be assessed as well.
Infrastructure Penetration Testing
Infrastructure penetration testing focuses on finding vulnerabilities and exploits at all levels of an environment. Testing can include exploitation at the network, system, service, or application level to identify areas of weakness. Once the testing scope is set, vulnerabilities are identified and exploited to open up potential pivots to other devices that may have been considered secure. As with web application penetration testing, AppliedTrust leverages opensource testing methodologies such as the OWASP Testing Guide and the Open Source Security Testing Methodology Manual (OSSTMM), along with experience gained over time from previous tests, to complete a thorough review of any environment.
For more information about how we can help you evaluate the security of your environment, give us a call at (303) 245-4545, or contact us online.