AccessMyLibrary provides FREE access to over 30 million articles from top publications available through your library.
Create a link to this page
Copy and paste this link tag into your Web page or blog:
The importance of standardising methodology in penetration testing.(DATABASE AND NETWORK INTELLIGENCE)
They say people are a company's greatest asset but when it comes to penetration testing people are still the weakest link. When an organisation commissions a penetration test, should it be shocked to learn that the techniques used by many are failing to identify their vulnerabilities and are instead leaving them open to attack? This article proposes a different approach to penetration testing, one that focuses more on methodology than on software tools.
These days' business applications, and in particular web applications, have become vital information assets within many organisations, providing access to (and therefore exposing) key data to internal staff, external partners and the public at large. However, with an onslaught of attacks, organisations are now facing increasing complexities in balancing the need to deliver information services, and manage data securely.
Securing an application is a complex, yet necessary requirement for almost all businesses. The uniqueness of each application brings a challenge to ensure that the security requirements (functional and non-functional) are established, designed and implemented effectively. Only through a thorough penetration test can the associated security threats, such as exposure, theft or modification of sensitive data, regulatory or commercial impacts, brand damage etc. be identified; the risks quantified, and suggested actions provided.
When an organisation commissions a penetration test the expectation is that these security threats will be identified. In practice, however, many are not and organisations are being left exposed and at risk to attack.
For any organisation, having a false belief that they have an accurate stance on their security posture can be as damaging as having no idea at all. To blame the quality of the penetration testers would be easy, but it could be unfair. No matter how experienced or well meaning they are, if the process isn't well communicated and understood the results will be haphazard.
For this reason alone, a strong penetration testing methodology must be in place to ensure that the critical threats to the application, its data and the underlying infrastructure are mitigated to a sufficient level (risk driven), and also to identify lower impact, but important security issues.
A well defined methodology is paramount in any activity that requires repeatable results. With a methodology, the process of achieving a result can be studied and the results verified. Without one, accurate vulnerability identification, risk profiling and therefore assurance become very difficult. Methodology should be the foundation upon which assessment is built.
- Social engineering in penetration testing: Postmortem; * What to do after a...
- Magazine article from: Network World Kabay, M. E. November 6, 2007 700+ words
...Kabay In the preceding column, I discussed how to plan for the use of social engineering techniques in penetration testing. Today I will take a brief look at how to use the information collected during such studies. In a Network...
- Security Zone: penetration testing - define your objectives; Penetration...
- Press release article from: M2 Presswire May 14, 2009 700+ words
...spectrum of penetration testing, vulnerability...use the term penetration testing in a purist manner; a penetration test will attempt...testing such as penetration testing must be considered...driver for a penetration test - in the current...
- Core Security Technologies Makes Automated Penetration Testing Even Easier with...
- Press release article from: Business Wire July 18, 2005 700+ words
...First Comprehensive Penetration Testing Product Adds Vulnerability...first-to-market penetration testing product for assessing...generation of the Rapid Penetration Test automation, further...the benefits of penetration testing to an easy-to...
- CORE IMPACT Integrates with QualysGuard to Automate Vulnerability Assessment...
- Press release article from: Business Wire September 11, 2006 700+ words
...can perform penetration testing, making our...CORE IMPACT penetration test at any time...CORE IMPACT penetration test without the...scanning and penetration testing." "The integration...features the Rapid Penetration Test (RPT), an...automation of the ...
- The Ethical Hack: A Framework for Business Value Penetration Testing.(Book...
- Magazine article from: Security Management Eardley, William August 1, 2005 700+ words
...an overview of penetration testing, Tiller explains...step through a penetration test. Also provided...how the finished penetration-test document should...test, however, penetration testing is just one part...
- Making penetration testing work; Author: Paul Newman, Security Consultant,...
- Press release article from: M2 Presswire October 31, 2008 700+ words
...used by the penetration testing team, in...test. A penetration test can be part...function. Penetration Testing Mechanics...mechanics of the penetration testing process involves...during a penetration test should be...
- Unauthorised Access: Physical Penetration Testing for IT Security Teams.(Report)
- Newspaper article from: Computer Weekly News November 5, 2009 700+ words
...Access: Physical Penetration Testing For IT Security...performing a physical penetration test on your computer...and application penetration testing procedures, an...performing a physical penetration test. Inside, IT security...
- Corsaire expands its penetration testing operation with a new appointment; Glyn...
- Press release article from: M2 Presswire August 29, 2002 700+ words
...part of the penetration testing division...provider of penetration testing services...A typical penetration test of a corporate...Corsaire's penetration test reports are...Corsaire's penetration testing services...