Penetration testing methodology

During scoping the type of test, it is important to know the different type of tests and what they consist of; this can be broken down into three groups:

• White-box penetration testing: Here, the tester has complete access and in-depth knowledge of the system being tested. The testers work with the client and have access to insider information, servers, software running, network diagrams, and sometimes even credentials. This test type is normally used to test new applications before they are put into production and are routinely conducted as part of the Systems Development Life Cycle (SDLC); this helps to identify vulnerabilities and remedy them before rolling out to production.

• Black-box penetration testing: In the black-box penetration testing approach, only high-level information is made available to the tester. The tester is totally unaware of the system/network, making this testing type as close to the real world as possible. The tester had to acquire all of their information using creative methods within the agreement of the client. While this approach mimics the real world, sometimes it might miss some areas while testing. If not scoped properly, it can be very costly to the client as well as time-consuming. The tester would explore all attack vectors and report their findings. The tester must be careful because things can break during this type of test.

• Gray-box penetration testing: In the middle of the two extremes lies the gray-box penetration testing; only limited information is available to the tester to attack the system externally. These tests are usually run within a limited scope and with the tester having some information about the system.

Regardless of which kind of test is chosen, it is important to also follow a standard or guidelines to ensure best practices. We will discuss some of the most popular standards in more detail:

• OWASP testing guide
• PCI penetration testing guide
• Penetration Testing Execution Standard
• NIST 800-115
• Open Source Security Testing Methodology Manual (OSSTMM)