The best moments to perform a penetration test

blog + Penetration test Z. Oualid today

share close

Performing a penetration test on your application is one of the best actions you can do to enhance its security. However, performing it at the wrong moments could impact your user’s experience or become inefficient. Therefore, when to do a penetration test?

A penetration test has to be performed in a test environment during the development phases. However, if the application is already developed and running in the production environment, performing a penetration test should be at the low web traffic hours.

When should you perform a penetration?

Performing a penetration test against your application or your network should be a periodic task that needs to be included in your yearly planning. However, in some cases, a yearly penetration test is not enough to enhance the security of your system especially in the development or the implementation phases. Therefore, here is when you should perform a penetration test depending on your system situation.

Application at the development process

The best moment to start making penetration testing against your application is at the development stages. Performing a security review should be done at each step of the development lifecycle. However, a penetration test could only be performed when we get a working app that can be tested.

Therefore, I highly recommend my clients to perform a penetration test at the end of the coding step where the app is working correctly and being verified in the test environment. This penetration test can also be part of the DAST process executed on the application and it will be a complementary job to find the deepest vulnerabilities in the app.

Once the application is implemented in the production environment another penetration test should be performed against the application and the environment where it is hosted.

What I have said until now for the application, remains valid for networks too. A penetration test should be performed at the end of the whole network being configured and correctly working. However, configuration security checks should be performed each time a new device is included in the network.

Application already developed but not on production

The test environment is the most favorable place to start performing penetration tests. In this environment, all techniques and attack scenarios could be executed against the application without fear of disturbing the clients. This is also applicable for a network implementation as performing a penetration test against the production network, may disturb the employees and in some cases stop the production.

As I first said, security reviews and checks should be performed at earlier stages of the implementation lifecycle. Architecture, Configuration, and many other network component security should be verified and discussed even before the implementation phase.

Application already on production

To be honest, this is the most difficult situation when we perform a penetration test as usually the application already receives high traffic and uses reel user’s data. It’s true that we take care of the client data and we don’t perform any actions that can change it. However, this reduces the number of tests that we can perform and the type of attacks scenarios that we can execute.

Performing a penetration test in this situation is sooner or later necessary. Therefore, there is no need to panic while doing it and all you need to do is to keep an eye on your production environment and take the necessary actions before starting the pentest, like making a data backup.

What kind of tools you should forbid to avoid disturbing production?

While performing a penetration test, a lot of tools might be used. Unfortunately, many of those tools can disturb the employees or the applications if they didn’t get used in the correct way. Moreover, some of those tools can disturb your production even if they get used correctly and I will give you some examples in the following paragraphs.

  • Cain and able: is a tool used to perform a man in the middle attacks in the network. Those attacks is then used by the same tool to retrieve the NTLM hash of the network users. In some cases this tool perform what we call an ARP poisoning to redirect the network traffic to the attacker machine. Unfortunately this attack can block the whole network and stop the production. I highly recommend you forbid this tool in the scope preparation.
  • Acunetix: this tool work as a web vulnerability scanner. It use a spider to retrieve the application entries before testing them. Unfortunately, when performing a logged in scan, this spiders can perform unwanted actions on the application that can block the production or modify data.
  • Dirbuster/dirb: Dirbuster or the dirb are two tools that perform a directory and files brute force on the webserver. Therefore, using this tool on a production environment without a good configuration to limit the number of request per second could do a kind of DDOS attack against the server.
  • John the ripper or hydra: this two tools are used by the penetration tester in password bruteforcing. They help guessing password by sending a lots of carracters combinations the the application. Most of the time to quickly guess the password those application send a lot of requests per second which can cause a deni of service.

How often a penetration test should be performed?

According to the cybersecurity best practices and standards, a penetration test should be performed at least twice a year. However, the more penetration tests you do the more secure the web application or the network will be.

You should know that just performing the penetration tests without fixing the issues detected is not a good idea and it is just a waste of money. Moreover, fixing the detected vulnerabilities and not performing a verification penetration test after it is also a waste of money.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *