Penetration Testing: What It Is and Why You Should Do It

Posted on

Do you remember the first time we see Charlize Theron in “The Italian Job”? She’s in the dark, with a penlight on her head, breaking into a safe. The lights get thrown on, and we think she’s been caught red-handed until we realize she was hired to break into the safe to expose its vulnerabilities.

That’s a pretty good starting place for understanding what penetration testing, or “ethical hacking,” is and why we recommend you do it. Testers receive a valid user account within your system, and then attempt to find the weak points in its security, without knowing any of the inner workings of the application. The results tell you exactly where the flaws are that an attacker will use to exploit your system and its data.

At Coretec, business logic testing, error handling, and session management testing are among the battery of tests we perform as part of our newest penetration testing service. We provide you with a detailed report* outlining the level of compliance your system has with the guidelines laid out by the Open Web Application Security Project Foundation. These guidelines were developed by OWASP to improve application security, and below we outline just a few of those guidelines and some of the tests we perform.

*Please note, Charlize has not responded to our requests to come work with us, so we can only stand behind the quality of our work and make no guarantee that she will show up to deliver your report.

Authentication Testing
In a world where you may never see the faces or hear the voices of the people who use your system, verifying the authenticity of users to ensure that they legitimately are who they say they are, is crucial to keeping users’ digital identity within their control. From passwords to fingerprints, to voice ID, to iris-scans, the tech world is always looking for new ways to validate users.

Authentication testing includes ensuring that those credentials are properly transported over encrypted channels, that the authentication process cannot be easily bypassed, and that there are stringent rules enforcing users to create sufficiently complex passwords. We evaluate password change and reset functions, as well as conditions where users have selected that the system “remember” their password; a situation that creates any number of entry points for the savvy attacker.

Authorization Testing
Remember that fake ID that got you into the bar before you reached the legal drinking age? The name on the ID may have been yours, but the fictitious birthdate gave you privileges above your rank and station.

Similar to nightclubs that assign a form of identification to under-age customers to notify bartenders not to sell them alcohol, applications assign roles to users to allow or deny them access to specific information and functionalities within the system. Authorization testing ensures that users can’t change their role or access information outside of their designated role, something known as privilege escalation.

A series of bypass tests must also be run to make sure that a pre-authenticated user cannot access information, and that they can’t continue to access data after they have logged out. Additional tests are run to check if attackers could bypass the authentication and authorization systems altogether, giving them direct access to the database.

Cryptography involves the way information is safely relayed from one point to another without anyone being able to read it along the way. Data sent over HTTP is often sent in plain text and can easily be read if intercepted, while HTTPS adds a layer of security. It’s a bit like sending a postcard vs. a sealed, registered letter.

However, HTTPS doesn’t always guarantee the safe delivery of information; even a registered letter could be opened along the way, which is why secret organizations developed ciphers to send information only able to be decrypted by those who have the key. Similarly, cryptography tests check if data is being transmitted over encrypted HTTPS pathways, and if servers are correctly configured to achieve a high-quality cipher.

Client-Side Testing
Client-side testing assesses vulnerabilities such as whether an attacker can make an HTML injection (allowing the attacker to control what the user sees), a URL redirect (which enables the attacker to send the user to a malicious site), and the particularly sneaky clickjacking, where an attacker essentially hijacks a user’s mouse clicks. The user, thinking they’re clicking on a specific link (such as “Win a Free Trip!”) is, unbeknownst to them, clicking on a malicious activity hidden underneath.

Why We Recommend Penetration Testing

Trust between a system and its users is hard won and quickly lost. Our penetration testing service helps to identify and fix flaws before they become the security breach that destroys the trust you’ve worked hard to build. Contact us today to learn more, and to keep security at the core of what you do.

Sample Pages of a Coretec Penetration Testing Report
Sample page Coretec Penetration Testing ReportSample page Coretec Penetration Testing ReportSample page Coretec Penetration Testing ReportSample page Coretec Penetration Testing Report