How and where to start penetration testing

How and where to start penetration testing

Brands can no more rely simply on content development and search engine rankings with cut throat competition and more than ever demanding customers

How and where to start penetration testing

  • Posted by: Yatender Sharma
  • 20/12/2018

Penetration Testing

Penetration testing helps simulate behavior of a hacker through "White Hat" personnel, who injects malicious load or traffic into the system under test - to expose the vulnerabilities so that these observed vulnerabilities are resolved. This helps us to make the system robust from a security point of view.

In the current scenario where all websites and applications are increasingly exposed to a larger number of people, the risk of these applications getting hacked is even greater. White Hat hacker or penetration testers help prevent applications from such security threat.

Environment and Tools

There are several tools in the market which are useful for penetration testing but just knowing these tools is not enough. A comprehensive understanding of application and environment is required to be a competent penetration tester. The environment includes network, application flow, application architecture, access of application over web, browser interaction, protocols etc. Without in depth knowledge of this, simply using these tools is not going to suffice in security testing.

There are plenty of tools available for penetration testing, these include both open source as well as licensed ones.

Following is selected list of various tools used for penetration testing:

  • Kali Linux
  • Rapid7
  • AppScan
  • Nessus
  • BurpSuit
  • Metaspoilt
  • Nmap

There are several tools which we can use for our specific tests, selection of tools will depend on various criteria such as:

  • Operating System (Windows, Linux, Unix, etc.)
  • Vulnerabilities to be tested (Application, web based etc.)
  • Testing budget (open source tool, licensed tool, mixed approach)
  • Network types to be scanned
  • Devices to be scanned

Permissions to execute penetration testing

It is unlawful to put malicious payload or traffic into any network or system. Hence if this activity is to be conducted for legitimate purposes, for example penetration testing written permission is required from the owner of the system where penetration testing is to be conducted.

Project Management

Penetration testing needs to be treated as a project with well-defined steps / procedures. This will help us prepare for unplanned shocks. Timely planning will also help prevent scope creep and results can be used for later projects.

In a nutshell we can say that penetration testing is a necessity nowadays, even warranted by clients or government agencies. A thorough project management approach with initiation, planning, budgeting, resourcing, execution, and control phases need to be planned to make it a fruitful exercise.

About Author

Yatender

Yatender Sharma

CoE - Testing

Yatender Sharma heads the Testing Services at Espire. He have extensive hands-on experience in Testing Services (Sales & Pre-Sales), Testing Delivery Management, Transformation for outcome based Managed Testing Services engagements, Testing Center of Excellence (TCoE) covering technical and business testing for Financial Services, Telecom, Insurance, Recruitment and Healthcare sectors.