What does an effective penetration test consist of?

blog + Penetration test Z. Oualid todayJuly 28, 2021

Background
share close

One of the best ways to improve the security level of a company is by performing a penetration test. Unfortunately, a penetration test is not an exact science like software coding. Therefore, find ways to check the effectiveness of performing a penetration test is necessary to see if your investment is worth it. So what does an effective penetration test consist of?

An effective penetration test is a combination of multiple effective tasks performed by the right people, the right tools, and following the right well-defined methodology.

In this blog post, I am going to explain what an effective penetration test may look like and why. Therefore, if you think you want to know more about it then you are in the right place.

The right methodology and standard

I think one of the most important parts of any professional penetration test is the methodology used by the penetration tester. You need to know that a penetration test job is performed in a limited period of time and should give the best results. Therefore, not having a well-defined methodology between your hands as a penetration tester will make you lose both time and effort.

Even while performing bug bounty hunting a methodology is always required to optimize your work effort and find vulnerabilities you are looking for.

For a beginner penetration tester, following an already defined pentest methodology made by some security experts is the best idea. However, with more experience in pentesting the security expert start tuning his own methodology. In some penetration test cases, a checklist is enough and could be considered as a methodology especially when dealing with web applications.

Here is a list of well-known penetration test methodologies and checklist:

  • CEH methodology
  • OSSTMM
  • OWASP

The second most important part that defines the penetration test effectiveness level, is following the guidelines of the right standards. Doing so gives the company the opportunity to comply with some well-known standards.

Complying with well-known standards gives companies a sort of commercial push towards their clients. It’s a way to demonstrate that the company does care about their privacy and their personal information. In some cases, some big companies require that their development service provider produce applications that comply with some well-known standards for example:

  • HIPAA for healthcare applications
  • PCIDSS for credit card data holder

The right people

Having a good methodology to perform a penetration test is a very good start in the journey of effectiveness. However, having the right person with the right skills to follow that methodology for you is also needs and even more important.

Many people are calling themselves security experts or penetration testing experts while they don’t have enough knowledge for that. A lot of people just execute tools against the client machines or applications and wait for the report to submit. Unfortunately, these launching tools will never be sufficient to get an effective penetration test. A lot of vulnerabilities cannot be discovered using an automated tool.

Therefore, try to ensure that the service provider has the right expertise to make a good job. I know that this might be very difficult especially if you don’t have a lot of technical information about penetration test. However, you can always ask your service provider to provide some proof of expertise. Therefore, the best thing to do this is to use certifications.

I understand that some good hackers out there do not like this idea, but there is no other effective way to prove your expertise legally.

Many good cybersecurity certifications are out there in the market that will give you an idea about the level of expertise your service provider has like OSCP and OSCE. These two certifications have a 100% technical exam that lasts for 24h for OSCP and 48h for the OSCE with the objective of penetrating a number of machines. Moreover, these two certifications have a very difficult exam that only a few get through it.

other certifications in the market are also important and show a level of expertise and knowledge in cybersecurity CISSP and others. However, I have talked only about OSCP and OSCE because they are the only ones that are the most technical in both exam and course.

Another aspect I’d like to talk about here that can make a big difference between an effective penetration test and an ineffective one, is the commitment of the superiors. To be honest, if managers and decision-makers are not committed to push their teams to apply the recommendations then all the results will be ignored in most cases by the technical teams.

Most of the time a penetration test comes as a result of a big hack or leak that happened to the application or the company. At this moment, managers and leaders take a courageous decisions in terms of cybersecurity and what needs to be done. However, with time passing this motivation get low, and in most cases, they get distracted and they lose focus on this project.

The right tools

In penetration testing, tools may have an impact on the results in terms of quantity as a lot of vulnerabilities can be found automatically in most cases. However, relying only on the tools by the penetration tester could make him miss a lot of critical vulnerabilities that cannot be found automatically like business logic vulnerabilities.

During a penetration test, a lot of tools can be used to perform different tasks. Some of them are fully automated others are semi-automated and perform a unique task for the penetration tester.

For example:

  • Tools that perform a brute force attack to guess directories and files.
  • Tools that perform a brute force attack to guess passwords
  • Tools to identify the different entry points of the app
  • Tools to scan the whole app looking of vulnerabilities
  • Tools to gather information about the app

The effectiveness of those tools depends on many criteria like code coverage and scan speed. However, they can do a good job to reduce the needed time to find basic vulnerabilities for the penetration tester, which therefore enhances its effectiveness.

Conclusion

I personally think that a penetration test can only be effective if the recommendations written in the report have been taken into consideration and the vulnerabilities have been fixed. Tools and methodologies are necessary to optimize the penetration test job. However, if they get performed or supervised by the wrong people they become ineffective.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *