There are six types of penetration tests based on the amount of information the customers have about the tester (and vice-versa), what to expect from the test, and the legitimacy of the test, they are: Blind, Double Blind, Gray Box, Double Gray Box, Tandem and Reversal. Spentera will perform the test using Double Blind (black box) and Gray-Box. They demonstrate the number of real world hacker techniques and may reveal a set of vulnerabilities (known or unknown) that may exist on the application or network layer. Meanwhile, in the security architecture review, we will use Tandem approach to examine and perform gap analysis against current IT security infrastructure condition.
Application Layer Testing
Spentera will perform the test from the perspective of the defined roles of the application, which can be a mobile, desktop, or web-based application. Each role in application will be tested against various testing guides:
OWASP Testing Guide: Web Application Security
This guide is divided into passive and active mode. The former will try to determine all entry points of the application (HTTP headers, parameters and cookies) in a non-intrusive manner, and includes 10 controls defined in information gathering, while the active mode is split into 10 sub-categories for a total of 90 controls.
OWASP Testing Guide: Mobile App Security
This guide will create a list of vulnerabilities and findings on a given mobile application. It consists of Information Gathering, Static Analysis and Dynamic Analysis that includes Device Analysis, OWASP Web Application Testing and Network-Layer testing.
Since most protocols are well-defined and have standard modes of interaction, network-layer testing is more suitable for automated testing. This makes automation the first logical step in a network-layer test. Because of such standardization, tools may be used to quickly identify a service, a software’s version, test for common misconfigurations, and even identify vulnerabilities. Automated tests can be performed much faster than could be expected of a human.
However, simply running automated tools does not satisfy a pentest needs. They cannot interpret vulnerabilities, misconfigurations, or even the services exposed to assess the true risk to the environment. They only serve as a baseline indication of the potential attack surface of the environment. Therefore, using the documentation provided by the organization during the pre-engagement, we should verify that only authorized services are exposed at the designated perimeter, and attempt to bypass authentication controls from all network segments where authorized users access the segmented network, as well as segments not authorized to access the internal environment.
One of the weakest chains in information security aspect is the people or employees. People assessment has to be included in testing scope regarding security assessment, and while this kind of testing have no defined standard method, it still has a baseline of testing that include information gathering (communication, physical and technical), establishing relationship and rapport, exploitation of target and execution.
Who need this?
Those who do vulnerability scanner on a scheduled basis.
Those who want to improve and test their IT security implementation.