The Ins and Outs of Enterprise Penetration Testing
Written By: Nebojsa Bajagic
Share this post
Penetration testing is a crucial part of a mature security program. But what does enterprise penetration testing entail? Depending on both technologies and business goals, an enterprise pen testing program can include many components, all of which work together to support security, compliance, and broader business goals.
What Is Penetration Testing?
Penetration testing helps your business learn the real-world implications of vulnerabilities in systems and software. Though automated tools and vulnerability scanning can identify issues such as misconfigurations and unpatched machines, just having that raw data does not provide an accurate picture of what assets are actually at risk as a result. In penetration testing, security experts think critically about those vulnerabilities, formulate attacks, and identify what sensitive data can actually be accessed or compromised by exploiting those vulnerabilities.
The human element is the crux of penetration testing. A vulnerability scan or configuration review can provide useful information, but it doesn’t think like an attacker. In order to find out how attackers will view your business’s systems or software and try to gain access to sensitive information, human expertise is vital.
Why Businesses Need Penetration Testing
Businesses can benefit from penetration testing of any systems, networks, or applications where sensitive data flows, as a pen test provides necessary visibility into the actual risk to company data. For example, if your business has a team that is designing products or systems, your developers and designers are thinking about how to make sure that everything works smoothly for end users. Security may take a backseat. However, it’s important to think about how functionalities or configurations can be abused for financial gain or unauthorized information access. Or, think about the case of outdated software. Your business may decide that it does not need the newest features immediately, but may not be aware that the update also fixes a remote code execution vulnerability that could give an attacker access to sensitive internal systems.
Regular penetration testing is essential because it provides visibility into the risk associated with any of your systems that transmit or store valuable information. By penetration testing your systems on a regular basis, you can prioritize internal security initiatives to fix the most critical issues. And, if your business sells software or devices to customers, penetration testing before putting them on the market or releasing them as updates gives customers confidence that they are getting a product that will provide the functionality they need without introducing unnecessary security risks to the environment.
Categories of Penetration Testing
Enterprise penetration testing is not a one-size-fits all security solution. Just like many aspects of a security program, penetration testing plays different roles in a company’s security program depending on the line of business, as well as security and compliance goals.
Product Security Testing
If your company creates products and releases them to clients, penetration testing is vital before code or devices make it into their hands. There are several types of penetration tests that often come up as part of product security testing, including testing of desktop, web, or mobile applications, assessment of Internet of Things devices, or testing of APIs.
A product security testing program should be tailored to development and release practices. For example, if your development and release is version-focused, then a product security testing program can involve penetration testing and subsequent remediation before each large release. On the other hand, if you use a more feature-focused or Agile methodology, then product security testing should be implemented within those cycles of development and release.
Risk Management Testing
Penetration testing is also important as a component of your own security program. Assessing both the internal and external footprints, identifying the real risk of vulnerabilities in those networks and services, and reducing the probability of data breaches matters for compliance, financial, and reputational reasons. Penetration testing from security professionals who understand business and can integrate that testing into a broader security program puts you in the best place to reduce risk, reach compliance goals, and grow with confidence.
Types of Penetration Tests
There are several different types of assessments that fit under the broader umbrella of product security and risk management penetration testing. They all achieve the central goal of using human intelligence and ingenuity to translate vulnerabilities to actual attacks and data risk.
Network Penetration Testing
Network penetration testing encompasses both internal and external assets. Both kinds of network penetration tests are important. Even though most breaches are caused by external threat actors, often those attackers are able to access data because they are able to pivot to an internal host or network and access even more sensitive information.In network penetration testing, security experts identify exploitable vulnerabilities in your business’s network. Stages include scoping the penetration test, performing reconnaissance on the network resources, scanning for hosts and services, verification of identified issues, exploitation testing, and analysis of business risks based on the findings. This gives you a clear picture of not only the vulnerabilities present in the in-scope network assets, but also knowledge of the real risks behind those vulnerabilities.
Web Application Penetration Testing
Web applications, whether they are hosted on your own infrastructure or in the cloud, provide the interface between your users and your data. They are essential for performing business functions, but vulnerabilities in a web application can lead to compromise. For example, an e-commerce application is critical for a company to sell products or services online, but security flaws in the application could reveal customers’ order histories, payment data, personal data, or even sessions to attackers.A web application penetration test tailored to specific technical and business needs uncovers security flaws in the application code, platform, and configuration, and should include tests for vulnerabilities both in the OWASP Top 10 and beyond. A thorough web application penetration test also provides the necessary business risk context for those flaws. That helps guide remediation efforts and prevent expensive data breaches.
Mobile Penetration Testing
Mobile apps make doing business more streamlined than ever, but they also raise complicated questions of both hardware and software security. Since they allow customers or employees access to your sensitive data, often from personal devices with few security controls, mobile apps require thorough testing before being released into production.A mobile application penetration test includes a full range of analysis that leads to secure mobile applications. Those steps include analysis of business logic and the attack surface, threat modeling, dynamic testing of the app, attempts to bypass root detection and SSL pinning, static testing, and device-based testing. This detailed methodology provides a full view of how the mobile app works, how attackers can exploit flaws, and what data is at risk.
API Penetration Testing
From desktop to web to mobile, application programming interfaces (APIs) have revolutionized how modern applications handle data. APIs have opened up new horizons for doing business online, but they have also changed the threat landscape, especially since so many APIs nowadays handle sensitive data such as PII or PCI data. If your business develops or uses APIs, penetration testing is vital to make sure those interfaces have the security controls in place to properly handle the data to which they are given access.API penetration testing requires analyzing business logic in order to understand the full path of data flow, identifying the features and use cases that make up the attack surface, and performing threat modeling, as well as research and exploitation testing tailored to the API. Once the testing is completed, the information is presented to technical audiences for remediation, as well as put into the context of business risk to allow managers and executives to make informed security decisions that relate to the API.
Internet of Things Penetration Testing
As Internet of Things (IoT) devices become more prevalent, they make business easier but can also present security risks. If your company makes IoT devices, penetration testing is vital to give customers confidence that they are purchasing the most secure product possible to do what they need. Or, if your company is considering an IoT device in a sensitive context, penetration testing can provide the information necessary to properly assess risk to your data, networks, and reputation.Steps for a thorough IoT penetration test include planning the assessment, threat modeling, and executing tests against hardware, firmware, remote management capabilities, and radio communications. Once that full battery of tests has been executed against the IoT device, reporting should include both technical information useful for remediation as well as executive reporting that puts the identified and exploitable issues in the proper context of business risk.
The Importance of Penetration Test Reporting
As important as it is for a penetration test to be properly scoped, thorough, and use proper methodologies, the test means little if the reporting is poor. After all, penetration testing is not the goal, but rather a way for your business to know your security posture better and to properly prioritize your initiatives to improve your security posture. An accurate report of the testing performed and the findings of the test is a good high-level start, but that is not all there is behind useful penetration test reporting.Translating penetration testing into action starts with professional reporting that is targeted toward the right audiences. For example, a deeply technical report may be very helpful for a developer or network administrator who needs to fix code or configurations based on the penetration test, but it is not the right kind of report for a manager or C-level executive who needs to make bigger-picture decisions about the direction of the security program.
Modern Penetration Testing Concerns
Though penetration testing has long been an integral part of security programs, there are several concerns that have arisen due to modern shifts in how technology is developed and implemented. Keeping these in mind can help your business design the right penetration testing program and ensure that you are meeting business needs and practically reducing risk.
Software Security Testing Methodologies
When penetration testing software, consider development methodologies when planning a penetration testing program. If your business develops software using traditional waterfall methods, it makes sense to schedule penetration testing before each release, in enough time to remediate the issues found before the code is released.However, more and more businesses are shifting to Agile frameworks. Agile development frameworks are excellent for client satisfaction since they are feature-focused, and allow software to be released more quickly and nimbly based on the features clients need. But traditional penetration testing methodologies do not keep up with agile development. Since Agile sprints can release code into production as frequently as every two weeks, testing the software every six months or every year as in a traditional penetration testing program is not enough.
Instead, if you use Agile development methodologies you should implement Agile penetration testing. That way, code can be penetration tested and security issues remediated before each release. It benefits your clients because they get more secure code on a regular basis, and it helps developers because they not only build stronger security awareness but will not have to stop every six months or year to go back and fix issues found during monolithic penetration testing.
Penetration Testing in an Age of Scale and Automation
As your business grows, you need to plan a penetration testing program that can scale with you. If your business is just starting a penetration testing program, the first step is determining the most critical systems and data to test. Then you can expand the scope of penetration testing as you reach deeper security maturity. What matters most when considering a penetration testing program at scale is knowing what the most critical data is and where it resides. That way, your business can focus your penetration testing program on the highest-risk data and assets, and increase maturity from there.In terms of automation, keep in mind that automation provides a critical function within penetration testing, although it will never be all of it. Automation does assist penetration testing teams with identifying issues and beginning to think about what kinds of attacks are possible in a network. However, purely automated security scanning lacks the human element of being able to put vulnerability information in context, identify real risks to data, and prioritize the issues that pose the most real risk to data.
Choosing the Right Penetration Testing Partner
When selecting a penetration testing partner, it matters to ask the right questions. It is critical to find a partner who has the right kind of technical expertise. That expertise includes experience performing penetration tests in general, as well as penetration tests against technologies your business uses. However, it also includes identifying penetration testers who work to understand the latest attack concepts and learn emerging technologies. After all, the real-world attack surface is always changing, and choosing a penetration testing partner who does the work to stay on top of it helps your business stay secure.However, technical expertise does not paint the whole picture. It also matters to work with a penetration tester who works to understand your business. After all, your goals do not end with the penetration test. Your goals are broader than that. They include things like compliance, growth, and product or service launch initiatives. Working with a penetration tester who takes the time to understand how security goals support larger business initiatives means more actionable results for the long term.
Learn More About Security Compass Advisory
Security Compass Advisory has been a leader in information security for over fifteen years. With a deep bench of experienced penetration testers, our team has the knowledge, expertise, and business understanding to help you build a penetration testing program that meets your goals. To learn more about our enterprise penetration testing expertise and our collaborative approach, contact us to start the conversation.
Nebojsa is a Principal Security Consultant and Team Lead at Security Compass. Combining technical and leadership skills, Nebojsa leads multi-domain Penetration Testing projects including Web, API, Cloud, Point of Sale, and Mobile with a strong focus on PCI Compliance.