top of page
Search

Key Facts About Real Pen Testing 

  • Writer: Greg Johnson
    Greg Johnson
  • 7 days ago
  • 4 min read

By CEO Greg Johnson - PCIP


I started Webcheck Security in 2018 as a World-Class Pen Test and Assessment/Advisory Firm. I wanted to combine the concepts of excellent testing conducted by the highest of experienced and certified engineers, but with a “CX” or customer experience.


scale with words truth/facts vs Fake news

We did just that when we hired our first professional project manager to shepherd the customer project. This allowed clients to meet and communicate with their testers (establishing a relationship) in a secure channel, offering quality follow-up advisement and debrief, and remediation testing.


Recently, we’ve added automated testing to the budget-constrained segment of the industry or those who want a reasonable cost PTaaS or ongoing monthly pen testing as a service with a reasonable AI platform. 


That said, the quality of what manual testers do, with multiple tools, is largely captured by PCI requirements; which also correlate to FedRAMP as well as just quality testing as defined by many standards including NIST, OWASP, etc. I share the following excerpts from the PCI Council here, taken directly from the PCI DSS v 4.0.1 document– 


11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity, and includes: 

  • Industry-accepted penetration testing approaches.

  • Coverage for the entire CDE perimeter and critical systems.

  • Testing from both inside and outside the network.

  • Testing to validate any segmentation and scope-reduction controls.

  • Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.

  • Network-layer penetration tests that encompass all components that support network functions as well as operating systems.

  • Review and consideration of threats and vulnerabilities experienced in the last 12 months.

  • Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.

  • Retention of penetration testing results and remediation activities results for at least 12 months. 


Further…


Purpose

Ipad or tablet with purple magnifying glass

Attackers spend a lot of time finding external and internal vulnerabilities to leverage to obtain access to cardholder data and then to exfiltrate that data. As such, entities need to test their networks thoroughly, just as an attacker would do. This testing allows the entity to identify and remediate weakness that might be leveraged to compromise the entity’s network and data, and then to take appropriate actions to protect the network and system components from such attacks.  


Good Practice 

Penetration testing techniques will differ based on an organization’s needs and structure and should be suitable for the tested environment—for example, fuzzing, injection, and forgery tests might be appropriate. The type, depth, and complexity of the testing will depend on the specific environment and the needs of the organization. 


Definitions

Penetration tests simulate a real-world attack situation intending to identify how far an attacker could penetrate an environment, given differing amounts of information provided to the tester. This allows an entity to better understand its potential exposure and develop a strategy to defend against attacks. A penetration test differs from a vulnerability scan, as a penetration test is an active process that usually includes exploiting identified vulnerabilities.


black laptop magnifying glass light bulb

Scanning for vulnerabilities alone is not a penetration test, nor is a penetration test adequate if the focus is solely on trying to exploit vulnerabilities found in a vulnerability scan. Conducting a vulnerability scan may be one of the first steps, but it is not the only step a penetration tester will perform to plan the testing strategy. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps.


Penetration testing is a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to gain access into an environment. Often the tester will chain several types of exploits together with the goal of breaking through layers of defenses. For example, if the tester finds a way to gain access to an application server, the tester will then use the compromised server as a point to stage a new attack based on the resources to which the server has access. In this way, a tester can simulate the techniques used by an attacker to identify areas of potential weakness in the environment. The testing of security monitoring and detection methods—for example, to confirm the effectiveness of logging and file integrity monitoring mechanisms, should also be considered.


  • Further Information

    Refer to the Information Supplement: "Penetration Testing Guidance" for additional guidance.

    Industry-accepted penetration testing approaches include:

    The Open Source Security Testing Methodology and Manual (OSSTMM)

    Open Web Application Security


The PCI Council then goes on to share more solid information about authenticated internal as well as referring to Requirement 6 on testing web applications. Point here is: AI is getting good, but real testers and CISOs know it has limitations.


Fortunately we can do both at Webcheck Security! We invite you to discuss with us the pro’s and con’s of each model. We also invite you to inquire about Webcheck Cadence, which takes your scope, offers full testing, then a monthly or quarterly follow-up of PTaaS using an AI-based automated platform. We look forward to discussing with you at GetInTouch@webchecksecurity.com or 1-800-PEN-TEST!

 
 
 

Comments

bottom of page