Penetration Testing

Vulnerability scanning should occur frequently, on the scale of once a month. Vulnerability scanning should consist of configuration verification and software version (including patch level) verification.

More rigorous testing for vulnerabilities should occur once or twice a year. This more rigorous testing needs a name, and the name that is used is penetration testing or pentesting.

What is done during this more rigorous testing, this penetration testing, is to gather network device information and simulate a malicious attack to check for access points into servers containing sensitive data. Tools like nmap, nessus and nikto are typically employed during penetration testing.

The boundaries of penetration testing must be clearly defined. What is a penetration test? Whatever the contract says it is.

Case in point: the episode 229 podcast of PaulDotCom, in which the customer acknowledges that their ID card readers have a known vulnerability, and “you can’t test that” … which evokes shameless derisive laughter. But why should it? Isn’t the customer trying to find out what they don’t know? For example, replacing an ID card reader system is an expensive process; knowing that it has a vulnerability doesn’t make a budget appear. A penetration test is what the contract says it is.

See also:


Comments are closed.