What is penetration testing:


A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
 

Penetration Testing Steps :


7 Steps and Phases of Penetration Testing


1. Information Gathering
2. Reconnaissance
3. Discovery and Scanning
4. Vulnerability Assessment
5. Exploitation
6. Final Analysis and Review
7. Utilize the Testing Results

Penetration testing methodologies


8. A penetration testing methodology is a comprehensive methodical approach that is used in penetration testing to identify vulnerabilities and weaknesses in the overall security posture of an organization.
9. Pentesting methodologies need to be extremely comprehensive and accurate to ensure that a penetration test is performed successfully. (A penetration test is only as comprehensive as the methodology that was used.)
 

1. Information Gathering


The first of the seven stages of penetration testing is information gathering. The organization being tested will provide the penetration tester with general information about in-scope targets.


2. Reconnaissance


using the information gathered to collect additional details from publicly accessible sources.
The reconnaissance stage is crucial to thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided. This step is especially helpful in internal and/or external network penetration testing, however, we don’t typically perform this reconnaissance in web application, mobile application, or API penetration testing.


3. Discovery and Scanning


The information gathered is used to perform discovery activities to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.


4. Vulnerability Assessment


A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested. A vulnerability assessment is never a replacement for a penetration test, though.
 

5. Exploitation


This is where the action happens!
After interpreting the results from the vulnerability assessment,the expert penetration testers will use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities.


6. Final Analysis and Review


This comprehensive report includes narratives of where we started the testing, how we found vulnerabilities, and how we exploited them. It also includes the scope of the security testing, testing methodologies, findings, and recommendations for corrections.
Where applicable, it will also state the penetration tester’s opinion of whether or not your penetration test adheres to applicable framework requirements.


7. Utilize the Testing Results


The last of the seven stages of penetration testing is so important. The organization being tested must actually use the findings from the security testing to risk rank vulnerabilities, analyze the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.

 

Penetration testing Areas


●    Network/Infrastructure penetration testing 
○    unpatched OS
○    Misconfiguration of server or network device 


●    Web apps penetration testing 
○    Server-side vulnerabilities 
○    Client-side vulnerabilities


●    Wireless Network penetration testing 
○    Open/Rogue AP
○    Insecure encryption


●    Social Engineering penetration testing 
○    Dropping USB 
○    Unauthorized access
○    Phishing Email with a malicious link 


Some areas that can benefit from an understanding of penetration testing are as follows:
●    Security operations center (SOC) analysts
●    Purple teams 
●    Network security analysts and engineers
●    Application security
●    Digital forensics and incident response (DFIR)
 

Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.