A penetration test tests the vulnerability of computer systems and uses these vulnerabilities to try to break into the system. De level of risk is the product of the chance that the vulnerability will be used times the amount of damage occurred when that happens.
A difference between a penetration test and an audit (safety check) is that auditors don’t attempt to break into a system if they find vulnerabilities.
Different sets of information can be provided to the penetration tester before they start the security audit. Depending on what information is shared with the pentester the way of testing as well as the outcomes change. We can list three configurations:
- black box
- crystal box and
- grey box
Black Box Penetration Testing
Black Box simply means that the penetration tester does not see anything, he does not know what’s inside the box, the box being the web platform of the target (client). The tester knows the name of the client and perhaps an IP address or a URL. In this kind of situation, the tester will have to spend a lot of time exploring and looking for applications, websites and hidden parts of the platform. Black box testing simulates a so called ‘black hacker’ and creates organisation awareness on the hacking risks.
Without good coordination, there is a risk that the pentester tests an application that the client does not want to test, or even worse, that does not belong to the client!
Crystal Box Penetration Testing
Crystal Box means that the tester can see everything. The penetration tester has full access to almost any information they need:
- fully detailed scope (urls, IPs, ports)
- details about the application
- any number of tests accounts, test data
- source code…
The communication between the tester and the organisatie must be excellent, so that the tester can get correct information about the platform.
External security companies are, increasingly performing this kind of highly cooperative test.
The challenge during this kind of test is mainly on the communication side, and the testing company must be trusted since they will sometimes get access to the source code of the web application.
This kind of testing can be highly integrated in the software development life cycle (SDLC) of web applications.
Grey Box Penetration Testing
With Grey Box testing the penetration tester is provided with limited information, somewhere between black box and crystal box. Usually, the client provides a detailed scope of what needs to be tested, to ensure the test remains in the boundaries. Although the scope has been clearly defined, the communication between the pen testing company and the client remains important: it is sometimes needed to clarify some doubts around the scope itself and more generally to answer questions that will speed up the test and in the end result in better results.
Grey box is the most common type of tests performed on web applications.
The goal of a penetration test is to point out the vulnerabilities in the IT security of the client and whereto those can lead if being misused.
ID Control’s rapport of the penetration test gives:
- a management summary
- the methods used in testing
- strategic, tactical and operational advice on the technical risks per application or server
before the testing starts it is agreed upon :
- which platforms will be tested
- the amount of information the tester has about the organisation
- when the testing will be executed
- that ID Control will be waived from any liability claims concerning (digital) tresspassing.
Penetration tests may take a couple of days depending on the amount of systems, applications and servers that need to be tested.
Do you want to know more about penetration testing? Contact ID Control.