Top 10 Penetration Testing Questions

5 Mins read

Many companies require penetration testing and or vulnerability assessments completed for compliance or customer assurance but don’t know much about penetration testing or how it works. Below we have compiled a list of the 8 penetration testing questions people typically ask during procurement.

How Pen Testing Is Different From Functional Software Testing?

The focus of Pen testing is to identify security vulnerabilities on the software. This is usually NOT the intention of a functional tester
Pen testing also requires an in-depth knowledge of information security. This is not a common skill in software testing engineers.

Who Does Pen Testing? 

Pen testing is typically performed by dedicated security experts and pen testing experts. They use set of tools to uncover information security issues in an application.
Many large organizations have an information security team that takes care of performing pen testing. 
Small organizations typically outsource this or sometimes do not pay much attention to it at all until their software have been seriously attacked and caused substantial damages.

How Much Does Penetration Testing Cost?

Testing prices can range anywhere from £2,000 and raise well over £20,000, the size of scope will greatly affect the penetration testing costs, a carefully scoped engagement where more information is made available to the consultant will typically cost less. 
Due to the fairly high cost of pen testing, a lot of customers will question if it’s worth the price tag.

We would ask them to consider the fact that penetration testing will help identify entry points within your applications and infrastructure that hackers in the wild can exploit. 
Penetration testing will identify security issues and provide instructions for your internal DevOps teams to follow, by identifying and remediating security issues within your organization it will significantly help reduce the chances of a real hacker exploiting your systems and costing your organization a lot more than the price of a penetration test.

In our opinion, penetration testing is worth the price every time, just be sure that your internal teams address the discovered issues and they are retested to confirm successful remediation.

How Much Testing Is Automated And How Much Is Manual?

The answer to this question depends on the individual penetration testing consultant that your company is hiring. However, it is important to note that penetration testing uses automated tools as part of the testing process, the industry tends to refer to this as “semi-automated”, where a consultant uses automated scanning software to identify low hanging fruit or common vulnerabilities

After identifying the security issues they are chained together to form higher severity issues, or in some cases allow an attacker to penetrate the application or network. An example of this would be using Burp Suite’s scanner to identify an XSS vulnerability within a vulnerable web application or using Burp’s Intruder tool to automate a list of manually built XSS payloads to identify the presence of an XSS vulnerability. 
After the discovery of XSS, the ethical hacker performing the penetration test will manually exploit the XSS vulnerability and combine the XSS vulnerability with other security issues which may lead to a CSRF bypass or cookie theft.

In short, there’s nothing wrong with ethical hackers using automated tools. However, scanners and other tools typically only spot simple vulnerabilities. Pen testers can use their experience, skills, and brains to think outside the box to find and combine vulnerabilities that an automated tool would otherwise miss.

What Kinds Of Tools Will You Be Using?

Some of the most common tools that many ethical hackers utilize are Burp Suite, Nessus, and Metasploit. These three tools help along the penetration testing process, allowing the pen tester to identify issues and manual exploit the discovered vulnerabilities (as discussed above).

Common Penetration Testing Tools

  • Burp Suite
  • Nessus
  • Metasploit
  • More tools are listed on this page

What’s The Difference Between A Vulnerability Assessment And A Penetration Test?

A Vulnerability Assessment (also known as a VA) informs on whether your network environment has any vulnerabilities. A penetration test digs deeper than simply identifying security weaknesses, they actively look and hopes of exploiting any holes in your system security, exploitation of the vulnerability verify its existence. Manual testing identifies security weaknesses that a simple scan wouldn’t be able to find.

Key differences between the two

  • Penetration testing exploits vulnerabilities
  • Vulnerability assessments identify vulnerabilities but do not exploit vulnerabilities 
  • Penetration testing goes a step further, pivoting and chaining discovered issues together

What’s Your Approach To A Pen Test?

Depending on the firm you hire, there will likely be a different approach, typically you can request their testing methodology. Most reputable companies will base their testing methodologies on established methodologies, such as NIST, OWASP, and PTES.

Every team has a slightly different approach, but ultimately, they follow the same set of rules. Here are a few guidelines some of the best pen testers follow:

Discovery: In this phase of the process, the technician gathers as much relevant information about your company as possible which is very likely, unknowingly, a part of the public domain. This information could be key to an attacker backing through your company’s cyber defenses.

Scanning: Here automatic and manual scanning techniques are used to uncover vulnerabilities in the system. If the process is performed correctly, then the automatic scan should run in tandem with the manual scan at least complement each other.

Exploitation: Once an issue has been identified the technician must attempt to exploit it. Technicians who rely too much on tools will have trouble during this portion of the process. But, this is an important step and requires a very high level of trust between the technician and the company they are providing their service to. If you “penetration test” does not include the step of testing, then it’s a vulnerability assessment and not a penetration test.

Post Exploitation: After the vulnerabilities are thoroughly exploited the information gathered is used to gather additional information.

How Do You Report The Findings?

Before beginning any security testing the following must be discussed between the technician and the business:

  • Several Emergency contacts for the ethical hacker
  • An agreed upon call frequency (daily, weekly wash up calls)
  • How you’re planning to communicate with each other (e.g. phone, email, IM , etc.)
  • Final report delivery date

What Preparation Work Should We Do Before A Penetration Test? 

Before penetration testing can take place the following preparation work is recommended:

  • Backups are taken (ensuring a point in time restore point, allowing for pre-test environment restore)
  • Applications are hardened and patched
  • Attack vector is reduced (by only exposing services that are required)

Obviously, the above depends on “why” you are conducting a pen test, you might be a CISO in a new organization who wants to gain an overview of the current state of the organization’s security.

Why Should I Have A Penetration Test Performed? 

A Pen test lets you know the kinds of issues your company network and environment may have with regards to security. It gives your company the opportunity to address the holes you may have in your security so you can address them before an attacker has the chance to use these vulnerabilities against you.

Leave a Reply

Your email address will not be published. Required fields are marked *