The Standard Penetration Test
Plynt.com has been a leader in penetration testing for years. One of their network security analysts explains the process of the standard penetration test, the backbone of Plynt.
Most regulations in some form or the other recommend penetration tests. For example PCI Data Security Standard’s section 11.3 requires intended organizations to conduct annual or more frequent network & application penetration tests. The HIPAA security Rule’s section 8 of the Administrative Safeguards requires a comprehensive security evaluation program, which in implementation would consist of security process audits, periodic vulnerability assessments and penetration tests.
A typical security testing & evaluation program consists of activities like a network security audits, vulnerability assessments and penetration tests. Security Audits cover both security management processes and IT assets. The latter part of the security audit which covers IT assets is generally called a network vulnerability assessment. Now we come to the penetration tests and there are two broad types of penetration tests, the standard or network layer penetration test and the application layer penetration test.
The standard penetration test may also be called a network layer or network penetration test or a black box test. It requires the bare minimum information about the targets, usually just the IP addresses of the systems to be tested. The testing is performed using a penetration testing tool kit which can involve well over 25 custom, commercial and open source tools. The testing though leverages tools has a very high involvement of a well trained and experienced security tester. The results of a penetration test will be free of false positives and false negatives. They will include very specific inputs on closing any holes in your external facing networks. Related tests include conducting the penetration testing on internal networks; between inter connected LANS and VLANS, on wireless networks, and penetration through social engineering techniques.
The Application Penetration Test may also be called an application layer or application security assessment or a gray box test. Such tests are applied to websites, web applications, thick client applications, mobile applications and software appliances. Unlike in the standard penetration test, the application penetration test requires significantly greater human expertise to create application threat profiles and custom test cases. The application layer vulnerabilities fall into two broad categories, the technical vulnerabilities like SQL injections, Cross Site Scripting and logical vulnerabilities that lead to illegal transactions and privilege escalation. By and large application penetration tests were targeted at critical web application or bread winning applications, but today with scalable solution offered on a SaaS platform combined with large testing teams, organizations like extend this level of testing across all their applications. Related tests include testing of thick client applications, mobile applications, software appliances and security code reviews of source code.
For more information on website penetration testing.
A typical security testing & evaluation program consists of activities like a network security audits, vulnerability assessments and penetration tests. Security Audits cover both security management processes and IT assets. The latter part of the security audit which covers IT assets is generally called a network vulnerability assessment. Now we come to the penetration tests and there are two broad types of penetration tests, the standard or network layer penetration test and the application layer penetration test.
The standard penetration test may also be called a network layer or network penetration test or a black box test. It requires the bare minimum information about the targets, usually just the IP addresses of the systems to be tested. The testing is performed using a penetration testing tool kit which can involve well over 25 custom, commercial and open source tools. The testing though leverages tools has a very high involvement of a well trained and experienced security tester. The results of a penetration test will be free of false positives and false negatives. They will include very specific inputs on closing any holes in your external facing networks. Related tests include conducting the penetration testing on internal networks; between inter connected LANS and VLANS, on wireless networks, and penetration through social engineering techniques.
The Application Penetration Test may also be called an application layer or application security assessment or a gray box test. Such tests are applied to websites, web applications, thick client applications, mobile applications and software appliances. Unlike in the standard penetration test, the application penetration test requires significantly greater human expertise to create application threat profiles and custom test cases. The application layer vulnerabilities fall into two broad categories, the technical vulnerabilities like SQL injections, Cross Site Scripting and logical vulnerabilities that lead to illegal transactions and privilege escalation. By and large application penetration tests were targeted at critical web application or bread winning applications, but today with scalable solution offered on a SaaS platform combined with large testing teams, organizations like extend this level of testing across all their applications. Related tests include testing of thick client applications, mobile applications, software appliances and security code reviews of source code.
For more information on website penetration testing.
Use the feedback form below to submit your comments.
Use the form below to email this article to your friends.
- Client Server Software Architecture
- What is HUB?
- Looking for Computer Networking Jobs?
- Home Computer Networking Tips
- Computer Networking with CAT 5 Cables and RJ-45 Connectors
- Computer Network
- Detect IP Address: How to Find an IP Address
- Computer Networking: Types of Computer Networks
- Computer Networking Cables: Crimping Device Tools
- Switched Multi-megabit Data Service (SMDS)
- Bridge-A Connecting Device
- Why should the Chinese hide IP address?
- See a map with exact location of someone only by knowing IP address
- Defense Pro by Radware - the Best Computer Defense Available
- Computer Networking Business Start-up and Hiring Key Employees
- Computer Networking Business: Creating Clients
- Personal Wireless with Bluetooth
- TCP/IP Reference Model
- Computer Networking: Training Schools, Certifications and Jobs
- Local Area Networks (LAN)