Penetration testing tool usage best practices

A quick look at when and how a penetration testing tool should be used -- along with the steps to take while using these solutions.

Vulnerabilities are often caused due to misconfiguration or lack of compliance (with software development best...

practices). A penetration testing tool helps you fix these vulnerabilities. Powered by fuzzy algorithms and a knowledge base, a penetration testing tool allows testers to input types, ActiveX controls, components and services within software that may give a possible exception like buffer overflows or abnormal termination.

Known attack vectors such as SQL strings, encoded Java scripts and dictionary values may result in exceptions such as onscreen error dump or control bypass. Further analysis of such incidents can lead to vulnerability discovery.

Penetration testing has become a compliance obligation for standards like PCI-DSS. These standards expect companies to perform regular penetration testing as often as every 6 months.

A penetration testing tool has proxy capabilities to enable the debugging of applications. Hence the tester can analyze software in a runtime environment. This is similar to software bug fixing. Debug software enables testers to understand the flow of information within an application or system. Debuggers team up with a knowledge base and allow real-time analysis of instructions for possible vulnerability. (Till some time back, this was a difficult task since testers had to understand the complete source code and perform manual analysis)

Right time to use a penetration testing tool

Once the vulnerability is identified, a penetration testing tool is used to verify if the vulnerability is exploitable and the associated amount of exposure or risk. Vulnerability analysis may result in observations that are either not possible to exploit or are false-positive. Penetration tools can thus help in establishing proof of concept.

A penetration testing tool can be used during system development (before or during production). However, a word of caution: direct testing on production systems may result in possible risk of data exposure or loss of availability or performance. It is recommended that one get explicit authorization from the management and perform testing during a lean period.

Penetration testing has become a compliance obligation for standards like PCI-DSS or for regulatory agencies. These standards (or agencies) expect companies and system owners to perform regular penetration testing as frequently as every six months. Organizations are expected to create a testing schedule aligned to their compliance audits.

Penetration testing should be performed immediately after vulnerability assessment. That is, before moving a system to production, after making major changes to an operating environment, or when migrating systems.

Steps to use a penetration testing tool

Identify goals: Thegoals of using a penetration testing tool come from the management's expectations for conducting tests, or from regulatory or compliance requirements. The primary goal of any test is to have assurance about data confidentiality and data integrity.

What do you test? The scope defines systems or areas to be included in the test. The scope may include servers, networks, systems and applications. Testers may include additional supporting systems which directly or indirectly affect elements defined in the scope. For example, mail server testing may include the routers used to provision Internet bandwidth.

How do you test? Similar to project management, penetration testers follow a four-step process to conduct tests.  

  • The first step is planning, which involves understanding the scope and the system. A tester using a penetration testing tool must understand business objectives around elements included in the scope. This will enable him to relate a technical vulnerability with the associated business risk.
  •  The next step is to do a vulnerability assessment. This step includes preparation of test cases and executing them for each element in the scope or for a sample. Sampling has to be done in line with requirements of the penetration test conducted by the tool. Vulnerability analysis can be manual or automated in nature. A semi-automated approach usually works best, as the environment is highly distributed and heterogeneous. 
  • Once vulnerabilities are found, the tester should validate them for exploitation and weed out false positives.
  • The last and most important aspect of testing is report generation and documentation. Testers must create reports which are conclusive and easy for the management and business people to understand. At the same time, the report should support its findings and make recommendations.

Selection of a penetration testing tool: Choice of a penetration testing tool depends on the systems. Web applications require tools such as W3AF, which enable testers to set up a proxy to analyze applications. Similarly, network devices require tools like Nipper to do configuration audits. Tool selection also depends on the type of penetration testing—Whitebox, Blackbox or Greybox. The type of testing limits information available with the penetration tester before the start.

Interpreting conclusions:A penetration test's conclusions are submitted in the form of a report which highlights risks associated with elements in the scope (or services that they may serve). The intention is to get visibility into security threats for the management or business. There is a qualitative rating assigned to each observation so that the management can accordingly prioritize control deployment in the mitigation plan.

About the author:
Tarun Gupta is the lead of information security for Sistema Shyam Teleservices - MTS India.

(As told to Anuradha Ramamirtham)

Read more on Hackers and cybercrime prevention