pl
en
Risk view level
Penetration tests
Pen tests are one of methods used in assessing security level of application or system. It is based on techniques used by a real attacker.
| Type | Description |
|---|---|
| Black-box tests | These tests are performed with no knowledge of the system. It means that auditors have completely no information about analyzed system (application). Additionally in the case of application: auditors can influence input and have access to output data (most often, they don't have access to application's runtime environment). |
| White-box tests | Theses tests are performed with complete knowledge of the analyzed system, it's architecture and used technologies. In terms of application: auditors have access to application's source code and runtime environment. |
Which method is better? A lot of people claim that black-box testing is the most appropriate way of assessing security level as they reflect a real attack. In practice most of external attacks are automatized and are based on well-known vulnerabilities. Attacks of the highest risk utilize 0day vulnerabilities or are realized by people having knowledge about attacked system. In case of internal break-ins, attacker always has at least minimal knowledge about the target. That's why white-box tests usually give the best results.
Why and when use the black-box approach? There are two main reasons:
- Black-box tests ideally identify information disclosure from the system (ie. Identification of deployed solutions based on their network characteristic).
- Black-box tests are performed faster in some cases so they can be used as a beginning of a larger project.
AVET INS performs pen tests for over 10 years for organizations from Fortune 500 and critical government administration systems. We help in choosing appropriate methodology and scope of our tests. In case of testing systems in production environment we deliver scope of our tests to ensure system's safety.
During our pen tests can use the threats model if the customer has one. In the case of it's absence AVET INS can develop such a model and then verify it with the pen tests.