Web Gateways,
Redefined.

Designed for Distributed. Built for the Cloud.
Delivered as a Service.

Blog

Requirements for Outsourced Penetration Tests

Signs of a qualified pen tester

Penetration tests leave systems unharmed while uncovering vulnerabilities that could cost you customer data, intellectual property, and your reputation. A reckless approach can generate false negatives that leave vulnerabilities undisclosed while damaging systems through intrusive, disruptive attacks that go too far.

A qualified penetration tester will take a nonintrusive tack. Pen testers should do more than merely run free testing tools and scripts of unknown provenance. They will check dataflows for exploitable logic errors, determine whether privileged information is available to unprivileged users, and leave an audit trail with visibility into what they tested, how they tested it, and what they found.

With examples of the kinds of methods you should expect from qualified pen testers, you can vet these professionals before you engage them.

Checking dataflows for exploitable logic errors

Logic errors are programming errors that permit software to behave abnormally. If an attacker can exploit such a behavior, they can attack the website or application and gain entry. For example, an off-by-one logic error that allows stack overflows could enable an attacker to launch a buffer overflow attack and execute code beyond the intended memory space.

Pen testers apply data flow testing that observes program control flows, graphing those out to locate errant use of variables that leads to exploitable logic errors. The variable’s application may be inappropriate depending on when the programming declares, defines, clears, or deletes the variable. By looking at when and how the programmer defined and used variables, the pen tester can isolate programming flaws that attackers can leverage.

Keeping privileged information from unprivileged users

A pen tester should determine whether the programmer used a weak approach to protect privileged information from prying unprivileged eyes. Is the data genuinely inaccessible, or is it merely masked or hidden? For example, using CSS to hide information may only keep the data from showing up on the webpage. Unprivileged users may still be able to view the information, such as by using the “view source” feature in their web browser.

Pen testers should try to gain access to privileged information while logged in to unprivileged accounts. Can the pen tester insert a malformed link at a website or web-based application that has a database on the backend, and draw an error code? If so, the database behind the link is vulnerable and privileged data is ultimately available to unprivileged users.

Leave an audit trail

Audit trails are records of what happened, typically contained in log data.

Established tools like Metasploit allow testers to leave audit trails so the enterprise customer can see how they conducted the test. Audit trails are useful for demonstrating what enables penetration into an organization’s websites and applications.

Pen testers should use nonintrusive tests to allow audit trails (and to test applications without harm). They should get their scripts and testing tools from known-good sources to ensure against false negatives, which can result when the testing scripts are poorly coded.

What to look for in quality pen testers

To get this kind of quality in your outsourced penetration tests, use established professionals who can demonstrate the requisite certifications and experience and a mastery of the penetration testing workflow.

 

David D. Geer (https://www.linkedin.com/in/daviddgeer/) writes about cybersecurity and technology for national and international publication. David’s work appears in various trade magazines from IDG in the U.S. and around the world in several languages. ScientificAmerican, The Economist Technology Quarterly, and many magazines and companies have used David’s content. David’s Google Scholar Page is at  https://scholar.google.com/citations?user=ZkKA3fsAAAAJ&hl=en.