Penetration test process is basically used for finding security vulnerability from application. There are static and dynamic data are present in application which needs to be tested. Penetration will do code analysis, finds security vulnerability like malicious code as well as functionalities which may occur due to lake of security. For example proper encryption algorithm have been used or not, Hard coded user name and password have been used or not. This all kind of major area of application can be taken care in penetration test. Penetration testing can be done as automation and manual. For automate the application, we can use a tool like Vera code.
Penetration manual testing can be done with experts only as here static code analysis, business logic, design, control flow and application risk can be defined which provides highly assurance of application. Once any vulnerability have been founded in application by penetration then next step would be the identifying risk of the same in application. Thus, penetration is totally depends on complexity and size of the application as it will go through all the location of application, all process and data transmit have been verified and validate, all used environments have been checked, all key points and weakness of application can be detected. The main gold of penetration is, to clean all the vulnerability and unauthorized process of the application and malicious activity.
Penetration is also known as Pen testing. It is against for cyber-attacks. This pen test is widely used for web applications. In pen test we can use an argument like web application firewall. With this testing we can also verify API (Application Protocol Interface) and servers.
There are different kind of testing stage is present in pen testing. 1. Test Planning 2. Test Scanning 3. Managing Access vulnerability 4. Test Maintaining 5. Test Analysis & configuration.
Let’s discuss one by one in detail.
1. Test Planning: This is the first step of pen testing. In this we will decide the goals and scope of the test. Defining environment, system and which method we can use for testing these all thing is discussed with team or individually. Collect the requirements and domain like mail servers can be decided in this phase.
2. Test Scanning: In this phase we will decide about all analysis methods and target to the application that how it will response on our attempts. First analysis we can do it, Static Analysis. In this, Code analysis will be done and according to the behavior of the application code estimation can be calculated in single pass. Second analysis is, Dynamic analysis, in this we need to validate the code while running the application.
3. Managing Access Vulnerability: In this stage, web application attacks are taken care. If SQL Injection, cross site scripting this all kind of vulnerability is applied on web application then how to get over with the same and how to protect the data. These all discussion and process have been done in this stage. To prevent damage of the application is the main motto of this stage. Testers are try their level best to protect the application by unauthorized people.
4. Test Maintaining: In this stage, Testers need to identify the area from where vulnerability will take place for long time and unauthorized person can take data or stole data continuously. This needs to be identify in each stage of application development for maintenance of the whole project.
5. Test Analysis & Configuration: In this analysis phase all detail report about the application have been designed. Which kind of vulnerability is founded, what are the sensitive data needs to be protected. How much time have been required by the pen tester to test the application. This all analysis have been done with Firewall settings.
Now move forward to the Methods of Penetration Testing. Below are the Methods which can be used while doing pen testing.
1. External testing of application: In this method, Testers are mostly pay attention on visible attribute of application. Like fields on web page, domain name servers etc.
2. Internal testing of application: In this method, Testers needs to pay attention on the application code and validate that behind the firewall how unauthorized person can access inside data of application.
3. Blind Testing: This testing is done as smoke testing of an application. Testers needs to target on the sensitive data and apply any vulnerability on application and need to verify that how application reacts.
4. Target Testing: In this testing real time scenarios have been generated. For example, Security testers and testers are working together and one person will transfer vulnerability in to the application and one person tried to protect data at same time. Thus, Real time scenario will be generated and application reaction have been captured here.
No comments:
Post a Comment