To Pentest or Not To Pentest…

Introduction

I get a lot of questions throughout the week. I love questions. Asking questions is how we reach understanding.

One of the questions I get often is around pentesting. Pentesting is this black box (pun intended) to some folks that is part mystical, mysterious and somewhat magical to folks.

Here are some questions that I get around pentesting:

What is a pentest?
Why do I need to do a pentest?
Do you do pentests?
Is it ok to share confidential information with them?
Why do they need access to source code?
Is it safe?

In this article, I hope to demystify the process, answer all of the above questions, and put you in a better position to make a decision on a pentest. If you already know what a pentest is and looking to get one, please read my how-to article on how best to do one.

Below are some terms you might want to understand regarding the topic:

What Is A Pentest

A penetration test, aka pentest, is where a 3rd party entity is hired to conduct some form of intrusive security testing on an attack surface of your choice for the purpose of uncovering security vulnerabilities on that surface.

Types of Pentests

There are a number of surfaces you can choose from which would dictate the type of pentest it is. The following are a general list of pentest commonly available:

Application Pentest

An application pentest is when the surface area in focus is an application such as some of the below.

Web applications
Mobile Applications
Desktop & Agent Applications
API endpoints

The OWASP Web Security Testing Guide is an excellent resource to understand the types of test that would be conducted against your application. Typically, researchers are trying to identify vulnerabilities in the OWASP Top 10, but of course are not limited to just these.

With the explosion of SaaS and Mobile based software, the application pentest is the most ubiquitous type of test sought out there by our clients and other pre-IPO startups.

Appsec: Bug Bounty Programs

One thing that is important to note is the availability of Bug Bounty Programs. These are crowd-sourced programs where you open up your application for testing to security researchers worldwide. There are lots of variations to these programs (private, public, managed, unmanaged) that are beyond the scope of this article. Typically our advice would be to shore up your appsec footprint before jumping into one of these.

Here is a list of 5 Things NOT To Do With Bug Bounties.

Network Pentest

A network pentest is the classic example of a pentest. Before the ubiquity of applications, the only thing standing between our infrastructure was an IP address. A researcher would have to find a live host on an IP address, scan for live ports on that IP, and try to discover vulnerabilities.

However, it’s not limited to pure IP addresses, your DNS is also in-scope. So watch out for split-horizon DNS issues, which can also help in a Social Engineering pentest (see below).

Types of Network Pentest

External network
Internal network

Physical Pentest

A physical pentest is trying to exploit the entire physical surface area of your target. This may include any of the following areas or tactics

Entry ways
Utility rooms
Network ports
Wifi Access Points
Dumpster Diving
Office walkthroughs

Office walkthroughs are my favorite. This involves walkthrough through offices and cubicles after hours and looking for post-it notes of passwords underneath keyboards or attached to monitors. (Yes, this happens)

Social Engineering Test

In the case of social engineering, the attack surface here is humans. Researchers are trying to exploit vulnerabilities in human based processes and systems. See video in the following article for an example.

Examples:

Exploit customer service process to obtain or modify confidential information
Exploit company employees or system administrators to obtain information and/or access
Exploit accounting and finance departments to conduct financial transfers and fraud

Red-Team Exercise

The term originated in the military community and has since been adopted by the cybersecurity community to encompass the same fundamentals. A Red Team in the information security sense is the utilization of all and any of the above methods to obtain information or attain an objective. Also known as a full-scope exercise.

Below are some examples of objectives:

Obtain access to privileged customer data
Obtain access to the CEO’s email and documents
Obtain privileged administrative access to company infrastructure

Why Do I Need A Pentest

We do assessments throughout our daily lives in order to obtain objective data to help us make decisions. This happens when we go to the doctor, get a blood test, or have interview candidates answer questions/scenarios or do an exercise.

A pentest is a form of assessment to obtain data concerning the type of vulnerabilities that exist in a system in the effort to remediate those vulnerabilities before the exploitation by a threat actor.

Not conducting a pentest or any form of application security vulnerability testing does not mean the vulnerabilities are not there. It’s just that you don’t know about them. An unknown unknown.

If you are not certified by a 3rd party yet, such as SOC2 or ISO, then sometimes a recent pentest would help provide confidence to that 3rd party in the use of your product.

Having a pentest could be the start of your Information Security or Application Security Roadmap. For example, an appsec pentest may uncover insecure development patterns or practices in your environment. Fixing these patterns will prevent future vulnerabilities from being injected into your code.

Why Do They Need Access To Source Code

Within pentesting, there is an additional dimension of testing related to level of access and insight security people have access to your existing surface.

Whitebox Testing

This is where penetration testers are provided full access to your application. This means test user credentials for every role in the application include admin, as well as access to your source code. Typically you want a Dev or Staging version of this application for testing and not allow penetration testers to “test” prod. I know, hackers are already doing this, but you also care about your job and it would not be great if you were the cause of that.

With access to your source code, testers can understand vulnerabilities in your application faster and more efficiently.

This is the recommended approach as it will give you the most coverage and best use of your budget.

Blackbox Testing

This is often the most requested service. Hack me without giving you any details. Basically, you give the pentesters a URL and that’s it, and they have to try to get in. Essentially zero knowledge about the application, this “black” box as there’s no transparency inside.

Unfortunately, it’s not so realistic, nor a good use of your budget. The typical time for a pentest engagement is about two weeks. There is a lot of ramping up and familiarization that needs to be done just to understand your application. Hackers (and bug bounty people) have unlimited time on their hands to understand your application. So in a sense, it really isn’t a fair fight or assessment.

*******************

So yes, in order to get the most out of your pentest they will need access to your source code, especially if you are early in your vulnerability management maturity or have not had a pentest before.

Is It Safe To Do a Pentest?

Is it safe to drive a car to the grocery store?

WIth everything there is a level of risk. With a pentest, you will want to reduce the risk by creating an environment security researchers can use. The important factor is that the environment is as close to production as possible.

In an application security pentest, that’s relatively easier, but not really possible with some of the other types of tests. Good and reputable security researchers and companies will do their best to ensure as little disruption as possible, however they will never guarantee no disruption.

Below is a list of tactics to help reduce the impact of a pentest:

Utilize a reputable company or entity that understands business impact
Utilize a like for like dev environment if possible
Conduct activities during off hours for high-risk environments
Notify security researchers of known issues that could impact your business or availability of your platform

To Pentest or Not To Pentest Conclusion

Hopefully you are now enabled with enough information to make a sound and informed decision on conducting a penetration test for your company.

There are so many various tests and doing so will help you uncover unknown unknowns in your environments as well as plant the seeds for aspects of your application security or overall information security roadmaps.

Cloud Security Labs does not conduct Penetration Testing, but does help with the process as part of our vCISO Involved program.

******************

If you have questions on this or any other topic we’ve written about, please feel free to get in touch and discuss with a vCISO. All our vCISO’s are experienced security professionals with various specializations such as SOC2/ISO Compliance, Security Operations, or IPO Readiness.