Rob Behnke
June 7th, 2021
Cybersecurity testing can be confusing. There are a few different types of tests and, often, terminology is used interchangeably or misleadingly. One of the most important types of cybersecurity assessments is the penetration test. A good pen test provides an in-depth understanding of potential vulnerabilities and attack vectors within the system under test.
A penetration test is a human-guided assessment of the security of a particular system. The goal of a pen test is to realistically simulate the tools, techniques, and procedures that a real-world threat actor would use when attacking a particular target.
A penetration test is a multi-stage and fluid process. It begins with the penetration testers performing reconnaissance on their target. Based on the results of that reconnaissance, the team can then develop a strategy for attacking the target system. At the end of the pen testing engagement, the testers generate a report that describes the steps that they took, their findings, and recommendations for improving the security of the target system.
Penetration testing is one of the most commonly misused phrases in cybersecurity. The reason for this is that many customers know that they want a penetration test but don’t know exactly what it entails. Some firms will bill their services as penetration testing to take advantage of the buzzword but then provide a different (often lesser) service.
Cybersecurity testing can come in a few different forms. Knowing the differences is essential to ensuring that you’re actually getting what you paid for with a penetration test.
Code reviews are a common form of security testing, especially in the blockchain space. The assessors receive a complete copy of the source code of an application and use a variety of automated and manual techniques to identify vulnerabilities or other issues in the code.
While code reviews are a valuable tool – and a good complement to pen testing – they are not a penetration test. Pen testing evaluates the security of live environments, enabling it to identify issues that only exist at runtime or configuration errors. Code reviews, on the other hand, mainly detect static errors in a particular application.
Vulnerability scanners are designed to identify known vulnerabilities within applications. They do so by scanning applications using a database of known vulnerabilities. These scans could include checking to see if a particular version of an application has known vulnerabilities, looking for common vulnerability patterns (like SQL injection vulnerabilities), and identifying configuration errors (such as a weak password on an admin portal).
Vulnerability scanners are useful but no substitute for a pen test. They can only detect known vulnerabilities and do not provide the same depth of assessment as a manual penetration test.
Penetration testers will often use vulnerability scanners as part of a first pass assessment of the target system’s security, enabling them to identify low-hanging fruit and potentially exploitable attack vectors. However, unlike a vulnerability scan, a penetration tester may actually exploit vulnerabilities to take a deeper look and will look for issues that would not show up in a vulnerability scanner’s database.
Red and purple team engagements are typically performed by organizations that have already undergone some penetration testing and fixed the identified issues. The main difference between pen testing and red teaming is scope and sophistication.
A penetration test is designed to identify and fix as many holes as possible within an organization’s defenses. This makes it a good choice for organizations with a less mature cybersecurity posture because the pen test can help them to identify and close issues to achieve a certain level of security.
Red and purple team engagements are typically more targeted assessments. For example, a red team may be tasked with identifying vulnerabilities in a system largely believed to be secure or assessing the effectiveness of an organization’s existing security team (blue team). These more targeted engagements are designed to fix more specific problems than the more general pen test.
Pen tests are designed to help identify and correct vulnerabilities within a system. An organization may benefit from undergoing a pen test for a few different reasons, including:
While penetration testing is a common concept in IT systems, it is much rarer in the blockchain world. In general, most blockchain projects only undergo a code review focusing on the project’s smart contracts or blockchain implementation.
However, blockchains are complex, multi-layered environments, and code reviews do not always cover all facets of a project’s attack surface (such as its web app). A penetration test provides a better understanding of a blockchain project’s potential vulnerabilities and can reveal issues that other assessment techniques cannot.
Contact blockchain cybersecurity firm Halborn at halborn@protonmail.com to find out more about our penetration testing process.