Software development is a complex process that requires careful planning, suitable technology selection, and thorough testing. However, successfully launching the product is not the end of the process.
The next step is to organize ongoing maintenance and confirm your product is well protected from external attacks. A reliable security check is to use penetration testing or pentesting. It simulates hacker attacks on different system levels and records how the software responds to malicious interventions. In this post, we want to stress the essential features of pentesting, explain the responsibilities of the pentest engineer, and detail the cybersecurity testing services provided at Erbis.
When hackers are on your side
Developments in technology forces criminal hackers to improve their skills and develop more sophisticated attacks. Today, malicious interventions are not just about hacking accounts and stealing credentials. They penetrate deeper software levels and can completely change the software system. With this in mind, pentest specialists must know where the danger comes from. Anticipating the potential targets of hacker attacks, they can draw up a comprehensive test plan to cover all possible malicious intervention scenarios.
As of today, there are many types of cyberattacks that harm software on different system levels. The most common types are cross site scripting, man-in-the-middle attacks, denial-of-service attacks, SQL injection, and DNS tunneling.
Let’s look at them in more detail.
Сross site scripting (XSS) means injecting malicious JavaScript code into the app or website page. This code is executed every time the user visits this page, allowing an attacker to obtain user credentials, redirect them to another page, or perform other illegal activities.
Man-in-the-middle (MitM) attack enables an attacker to pick up traffic transmitted from the client to the server, thus gaining access to sensitive records. The MitM attack can be carried out by changing the parameters of the DNS server or the host’s file on the victim’s machine.
Denial-of-service (DoS) attack is based on flooding a software service, for example, a web server, when the number of requests exceeds the capacity to process them. As a result, the attacked resource becomes unavailable, and the whole software interface downtimes for up to several hours.
SQL injection means inserting malicious SQL code into a database query to read database tables or add/change local files. This type of attack becomes possible when the app incorrectly processes input data used in SQL queries.
DNS tunneling allows an attacker to transmit arbitrary traffic on top of the DNS protocol. DNS tunneling cannot be disabled by simple firewall rules because there is no way to distinguish between legitimate traffic and DNS tunnel traffic. One of the signs that indicate DNS tunneling is the high intensity of requests.
Pentest checklist: what you might have missed
A pentester must understand and consider all known types of cyberattacks. They should also remember about the zero-day exploit when unknown vulnerabilities are detected during the first release and developers have 0 days to fix them.
In any case, the pentesting methodology is developed individually for each product. Regardless of whether it is carried out using the white box or black box technique, each test case is written taking into account the specific features of the system, such as
- IT infrastructure (cloud or local)
- database management structure
- network equipment and services
- operating systems for servers and users
- tools to protect corporate information
- third-party software
- etc.
Besides, a pentest checklist should include a few mandatory stages to perform a full scan of the system and identify its possible weaknesses. Here are the things to do:
1. Prepare. At this stage, pentesters collect information about the system, define testing goals, and select penetration testing services and tools.
2. Scan. Pentesters assess the vulnerability of the code by conducting static and dynamic analysis. In other words, they examine the application when it is not running and when it is in the active phase.
3. Attack. Pentest specialists attack the application using different methods and watch how it reacts to different types of attacks. The main goal at this stage is to access sensitive data and understand the damage that can be caused.
4. Maintain access. After gaining system access, the pentesters check how long they can maintain it. The longer the application does not respond to a hacker attack, the more damage it is possible to cause to it, and the more data is likely to be stolen.
5. Report. At the final stage of security testing, pentesters document the work results and provide the client with a detailed description of software vulnerabilities and recommendations for their elimination. Here is the information the pentest report includes:
- how and when the system was attacked
- what vulnerabilities were detected
- what data was accessed
- how long the app allowed the intruders to be inside
- what changes should be taken to enhance software security
- what services are better to use to achieve desired results
Pentesters: who are they?
If you need penetration testing services and look for relevant specialists, it is necessary to understand that pentesters are not the same as QA engineers. They do not accompany the product during the course of development and do not test it on different implementation stages.
Before starting to work, pentesters agree with the client on the testing approach: black, white, or gray-box testing.
Black-box testing means the pentest engineers know nothing about your product: they do not study software documentation, do not communicate with the developers, and do not research the technologies that have been applied. Instead, the pentesters get to know your product just like regular users do. However, their goal is not to benefit from using the app but to harm it as much as possible.
White-box testing assumes the client provides information about how the system works, so the pentesters know potential weak points to check. With this approach, the pentesters no longer go in blind. Instead, they have enough knowledge about the software to prepare thoroughly for testing and attacking its most vulnerable spots.
Gray-box testing is a mixed version of the first two approaches. It means the client partially informs the pentesters about the software security system. The pentest engineers then write tests based on high-level descriptions of program behavior, such as a software algorithm or architecture.
With this in mind, it is fair to say that pentesters are nothing but hackers. They have a deep knowledge of IT technologies, vast experience interacting with various devices, and keen insight into secret software entrances.
Nevertheless, the main difference between pentesters and hackers is the purpose of their malicious activity. While actual attackers do it for personal gain, pentesters aim to identify weaknesses in the system and suggest how to fix them to the owners. It is for this reason pentesters are often called ethical hackers. After all, they guide their skills in the right direction and work for the benefit of society.
Penetration testing with Erbis
Erbis philosophy is based on the principles of secure development using the most advanced methods and up-to-date tools. We follow a secure software development lifecycle (SSDLC) and successfully apply it to many projects of different complexity. Penetration testing is one of the areas in which we have deep expertise and a mature team of well-prepared specialists. Our engineers keep abreast of the latest cybersecurity inventions and adhere to the best practices of hacker-powered security testing.
The main methodologies that we use during security penetration testing are the Open Web Application Security Project (OWASP) and Penetration Testing Execution Standard (PTES). Among other recommendations, they provide a detailed description of how to organize the testing process and what areas to cover. Of course, the chosen workflow is always modified according to the project’s nature. However, the core testing plan usually looks as follows:
• Configuration and deployment management testing
• Identity management testing
• Authentication testing
• Authorization testing
• Session management testing
• Input validation testing
• Error handling
• Cryptography
• Business logic testing
• Client side testing
If you are looking for a penetration testing company or need to consult on security issues, please, get in touch. After studying your project, our experts will develop an effective pentesting plan and help you establish reliable protection for your software.
