Chapter 2. Penetration Testing Methodology

Penetration testing, often abbreviated as pentest, is a process that is followed to conduct an in-depth security assessment or audit. A methodology defines a set of rules, practices, and procedures that are pursued and implemented during the course of any information security audit program. A penetration testing methodology defines a roadmap with practical ideas and proven practices that can be followed to assess the true security posture of a network, application, system, or any combination thereof. This chapter offers summaries of several key penetration testing methodologies. Key topics covered in this chapter include:

• A discussion on two well-known types of penetration testing—black box and white box
• Describing the differences between the vulnerability assessment and penetration testing
• Explaining several industry-acceptable security testing methodologies and their core functions, features, and benefits
• A general penetration testing methodology that incorporates the 10 consecutive steps of a typical penetration testing process
• The ethical dimension of how security testing projects should be handled

Penetration testing can be carried out independently or as a part of an IT security risk management process that may be incorporated into a regular development lifecycle (for example, Microsoft SDLC). It is vital to note that the security of a product not only depends on the factors that are related to the IT environment, but also relies on product-specific security best practices. This involves the implementation of appropriate security requirements, performing risk analysis, threat modeling, code reviews, and operational security measurement.

Penetration testing is considered to be the last and most aggressive form of security assessment. It must be handled by qualified professionals and can be conducted with or without prior knowledge of the targeted network or application. A pentest may be used to assess all IT infrastructure components, including applications, network devices, operating systems, communication media, physical security, and human psychology. The output of penetration testing usually consists of a report divided into several sections that address the weaknesses found in the current state of the target environment, followed by potential countermeasures and other remediation recommendations. The use of a methodological process provides extensive benefits to the pentester, to understand and critically analyze the integrity of current defenses during each stage of the testing process.