Introduction and Background
The aim of this report is analysing the scenario for conducting penetration testing. The main purpose of this project is delivering a white box penetration testing. The client has asked for conducting penetration test against a web server as well as their relevant web application that is hosted on Amazon AWS (Toapanta et al., 2020). The legal and ethical aspects of penetration testing will be discussed and penetration testing methods will be also compared with each other so that the suitable one can be chosen.
Most of the businesses have gained bad reputation just by not following the legal and ethical aspects. The legal and ethical aspects of penetration testing are given as follows:
- At the time of performing pen testing, the tester will need to break in to the computer network (Wiedey, Becker and Brix, 2020). The professional pen testers will just need to break in to the system only with the request of the operator or system owner or they have to follow implicit or actual consent of authorized personnel.
- Before conducting pen testing, both the parties will need to sign a contract where each and everything about the ethical and legal responsibilities of pen tester and permissions from system owner should the documented (Ross, Baji and Barnett, 2019). The ethical hacker will need to obtain prison free card from the consumers that must stipulate about the authorization of pen test. The client will need to be having the legal authority for authorizing penetration testing.
- Another legal aspect which can show up in penetration testing is the impact of the pen test on the users of the system specially when the pen testing will be conducted on live system or production (Ojagbule, 2019). The customers should be provided with alerts in written form at the time of performing pen testing even if the pen testing will be performed appropriately or accurately as it can be the reason behind serious damage, potential injury or data loss.
The pen testing, whether electronic or physical, carries with various degree of inherent legal risks. It is so much important for understanding about the relevant legislation as well as how it will affect the pen testers (Jaswal, 2018). Sometimes this is so easy to perform a perfect legal test for cross the line inadvertently in to questionable legal territory. Understanding the laws related to pen testing can ensure about that the system will not put in to a legally vulnerable position. The legislation that the relevant most to the pen tester can be found in the given acts of parliament like:
- The Computer Misuse Act 1990 and 2006.
- The Human Rights Act 1998 (particularly Article 8).
- The Regulation of Investigatory Powers Act 2000.
- The Data Protection Act 1984 and 1998.
Regular use of penetration tests is key to the safety of any user or website owner. This practice provides a clear idea of the types of threats that can come from the outside world and which threats can cause enormous damage to an organization. There are certain vulnerabilities in the project of any user or site owner that allow hackers to take certain steps (Ibrahim and Kant, 2018). Penetration tests are some of the routine security checks that help the user or owner to detect vulnerabilities in their project so that hackers do not harm using those vulnerabilities. It is very important to carry out regular penetration tests to avoid any harm. The penetration testing is having the ability of delivering various results on the basis of that the methods and standards can leverage. The updated methods and standards of pen testing can provide a viable option for the organisations who is having the requirement for providing security to their system as well as fixing the vulnerabilities of cyber security (Han, Kheir and Balzarotti, 2017). In the next part the pen testing methods like OSSTMM, OWASP and PTES methods will be compared with each other. Mainly the methods will be compared according to their effectiveness and security purpose so that the existed vulnerabilities on the system can be listed and potential security measures can be taken.
Legal and Ethical Considerations
Osstmm methodology in pen test: OSSTMM stands for Open Source Security Testing Methodology Manual. This OSSTMM is usually a peer-reviewed method that is used for safety testing (Halton et al., 2017). This procedure is usually administered by ISECOM. ISECOM stands for Institute for Security and Open Methodology. Usually, a safety audit method is created primarily to assess against regulatory and industry needs a purpose. However, this method is never considered a standalone method. This method was based on the development of an organization, which is suitable for regulations and structures. This and OSSTMM mythology rely entirely on the Pen Testing method. Once an organization is formed, it is imperative for the organization to work with a quality audit firm to move the company forward. In this case, before spending money in any sector, the company has to choose different methods to close its security loopholes. The company hires specialists to avoid such security loopholes. These security experts usually choose this and the OSSTMM method to avoid these types of security loopholes. Kirkpatrick Price is used to further improve the testing services of OSSTMM (Famuwagun, 2018). This Kirkpatrick Price is used because the results obtained from it can be thoroughly analyzed and because they are completely reliable and effective.
Owasp method in pen test: Penetration testing methods are usually used to evaluate a network or computer system. This method is used to determine if an attacker is taking advantage of a system’s vulnerabilities and to detect system vulnerabilities (Estebanell Castellví, 2020). This penetration testing method is a great way to get an idea of ??how much damage hackers can do to the system. And OWASP penetration testing is another advanced quality test that typically identifies the attacker’s vectors and vulnerabilities. Whether the security system is working properly in any organization is an essential issue and a penetration test confirms the survival of this system. This OWASP method works following the Broken Access Control method. This type of vulnerability is noticeable when an application does not properly check approval. This option identifies such vulnerabilities and closes that (Edström and Zeynalli, 2020). It is very important to keep any kind of data safe for future use. What is used in this case is that cryptography helps to encrypt public data. And this complete encryption method also falls under OWASP. Different applications do not work because they are not updated in time. This is not due to the preserved knowledge, but if the version migration is not correct and OWASP helps to fix this problem.
Comparison Criteria
PTES method of Pen testing: The ‘penetration testing execution standard’ process is the most recent and comprehensive of all the current versions of penetration testing methods. This process was invented by data security practitioners to use an updated version of the penetration testing process (Burdzovic and Matsson, 2019). This method is commonly used to guide security professionals about security. The penetration test plays an important role in guiding business discussions and highlighting successful projects. PTES has usually divided into two parts and one part is completely dependent on the other (Bertoglio and Zorzo, 2017). One of the two parts is that the steps of this procedure are described using patent guidelines. And the second is to discuss in detail the techniques and tools used in each step. The first step in the whole process is investment interaction where before starting the process discuss the initial stages of the process and provide complete information about all the important issues. Helps to understand the general understanding and arrangement of each important assessment. As a result, there is no misunderstanding between the client and the penetration tester (Abad García, 2019). This section includes some of the special items that are discussed in detail, the most notable of which is Estimating Time and Budget. Also discuss media, event management, business rules, and regulations, Provide index numbers and transaction information with third parties (Agaiby and Mayne, 2018). The Intelligence Gathering System is considered to be the earliest stage of this whole PTS system.
Among all these methods OWASP method will be the suitable most as the method can describe the assessment of web based applications for doing the identification of vulnerabilities which have been identified in OWASP top 10 list (Brito and Perurena, 2021). The OWASP pen testing has been designed for identifying, safely exploiting as well as helping to address the vulnerabilities so that weaknesses can be discovered as well as they can be secured with proper mitigation methods.
Conclusion
Thus, it can be concluded that the project plan for performing penetration testing has been provided this paper by analysing the scenario of hosted server of Amazon AWS. The legal and ethical aspects of penetration testing has been provided and the pen testing methods like OWASP, OSSTMM and PTES has been discussed and compared with each other and lastly OWASP method has been recommended for the next stage.
References
Abad García, G., 2019. Online penetration testing laboratory.
Agaiby, S.S. and Mayne, P.W., 2018. Evaluating undrained rigidity index of clays from piezocone data. Cone Penetration Testing (Delft), pp.65-72.
Bertoglio, D.D. and Zorzo, A.F., 2017. Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), pp.1-16.
Brito, H.R.G. and Perurena, R.M., 2021. Riesgos de seguridad en las pruebas de penetración de aplicaciones web: Security risks in web application penetration testing. Revista Cubana de Transformación Digital, 2(2), pp.98-117.
Burdzovic, A. and Matsson, J., 2019. IoT Penetration Testing: Security analysis of a car dongle.
Edström, V. and Zeynalli, E., 2020. Penetration testing a civilian drone: Reverse engineering software in search for security vulnerabilities.
Estebanell Castellví, A., 2020. Penetration Testing Methodology for Internet of Things Devices (Master’s thesis, Universitat Politècnica de Catalunya).
Famuwagun, A., 2018. Penetration testing on DNS server: case Kali-Linux.
Halton, W., Weaver, B., Ansari, J.A., Kotipalli, S.R. and Imran, M.A., 2017. Penetration Testing: A Survival Guide. Packt Publishing Ltd.
Han, X., Kheir, N. and Balzarotti, D., 2017, October. Evaluation of deception-based web attacks detection. In Proceedings of the 2017 Workshop on Moving Target Defense (pp. 65-73).
Ibrahim, A.B. and Kant, S., 2018. Penetration testing using SQL injection to recognize the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), pp.5935-5942.
Jaswal, N., 2018. Mastering Metasploit: Take your penetration testing and IT security skills to a whole new level with the secrets of Metasploit. Packt Publishing Ltd.
Navarro, M.J., Guía del PMBOK para la gestión de pruebas de intrusión a aplicaciones web. PMBOK guide for web application penetration testing management.
Ojagbule, O., 2019. Security Analysis of the Internet of Things Using Digital Forensic and Penetration Testing Tools.
Ross, R., Baji, A. and Barnett, D., 2019. Inner profile measurement for pipes using penetration testing. Sensors, 19(2), p.237.
Toapanta, S.M.T., González, R.F.P., Espinoza, M.G.T. and Gallegos, L.E.M., 2020, December. Analysis of the Software Most Used by Hackers to Carry Out Penetration Testing in Public Organizations. In MLIS (pp. 107-114).
Wiedey, C., Becker, L. and Brix, T., Security Assessment of RESTful APIs through Automated Penetration Testing.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
