In my work, I often communicate with customers as a leading specialist and a representative of the cyber security division in order to thoroughly discuss all requests and discuss all issues.
So, in the process of such calls and meetings, the fact that some customers are not completely aware of the meaning of such a service as a penetration test periodically emerges. Many for some reason confuse this type of service with an assessment of vulnerability or even a simple scan, there is also some confusion in the types of approaches to the implementation of projects related to penetration testing.
Real case - a web application with a limited registration process, while the customer wanted to be checked in black box model, although according to the customer’s expectations, I immediately realized that it was a gray box and the possibility of performing a check from the user's personal account as well. Of course, summing this information, we came to a common denominator.
Yes, I understand that many clients do not have their own information security departments and it’s simply impossible for them to correctly formulate requirements for this type of projects. Of course, our main task is to help and guide them on the true path, which I do with great success.
But what is the essence of the problem? Perhaps this topic is not covered sufficiently? Or too much complicated terminology and not completely understandable approaches / processes?
Let's try here a little to deal with these issues.
The main types of security testing
- Penetration tests
- Vulnerability Assessment
- Security audit
Types of penetration tests
- Black box - we work with nearly zero information and we have either a link to the site, or just the name of the company. A goal of course is to compromise the application / network / any data (including employees).
- Gray box - in this case we will work with some kind of near minimum data set, approximately at the black box level, but we may already have data for entering the application, for example.
- White box - this is most often applicable when working directly from the customer’s infrastructure and inside the infrastructure, when we have a network topology, we know the IP addresses of the servers and what types of applications are used. Also, this approach is partially applicable to the projects related to the analysis of the source code.
Other types of security testing
Vulnerability assessment is a more automated procedure, in which there is an additional step of validating the results obtained and eliminating false positives. The main task is to find as many vulnerabilities as possible.
Security audit - we have all the cards in our hands: we have access, administrator-level privileges, or alternatively, we have copies of the configuration files. The main task is to study the solution used, the architecture, the software used and its versioning, methods for restricting access to and communication between systems.
In this post I was able to accommodate far from all the approaches and methods, but on the whole the picture develops something like this. I hope that this material will at least be able to help those who wish to conduct a pentest or an audit of their systems with the right choice of the type of service provided and the approaches used.