The aim of this report is critically comparing the existed methods of penetration testing against the scope of the scenario. The scenario is about an SME that is building capabilities in penetration testing. There is a team of three consultants who are taking preparations for delivering project based on white box penetration testing (Gluth et al., 2020). The client has asked the employer for conducting the pen test against a web server and the relevant web application of it that is hosted on Amazon AWS. The legal and ethical aspects of pen testing will be discussed as well as the comparison criteria will be also discussed in this paper.
The pen testing is a type of security testing which is used for discovering existed vulnerabilities, risks and threats which can be exploited by an attacker in web apps, software application and networks. The main purpose of pen testing is identifying and testing all of the possible security vulnerabilities which are presented in the software application (McKinnel et al., 2019). The biggest issue is there are various security testing tools which are based on the intent of user that means there are inherent challenges for proving that people are breaking specific laws. According to laws and regulations of UK there are various legal and ethical aspects of penetration testing, such as:
Along with the above discussed laws there are some major ethical aspects which needs to be considered while performing penetration testing. They are:
The methodologies of pen testing like OWASP, PTES and OSSTMM will be compared with each other, they will be compared according to their effectiveness, confidentiality and working process. The methods will be compared according to the effectiveness of cost cutting of the network downtime (Khera, Kumar and Garg, 2019). The penetration testing are best know to reveal the weaknesses in the target environment, through the end of the test, a report will be received with all of the problematic access points in the system along with the suggestions for software and hardware improvements those are needed for upgrading the security. Usually, the pen testing begin with the high risk vulnerabilities as well as then it move to the low and medium risks. The methods will be also compared accordingly (Sina, 2019). The results from the pen testing varies in accord with the skills of the white hat hackers, the time taken for the test, changes in the system at the time of the test.
The methods will be also compared with each other according to the testing ability of responding to real cyber threats (Lu and Yu, 2021). If the hackers methods will be known, then the tactics and tools can be prepared to shut them down as well as kick them out from the system. As the main purpose of pen testing is to provide security to the system so according to these criteria the methods will be compared.
The pen testing methodology is actually a manner in that a pen test is executed and organised. The methods of pen testing are exited for identifying the security vulnerabilities in the organisation. Each of the methodologies can outline the procedure an organisation can take for discovering the vulnerabilities (McKinnel et al., 2019). While the organisations can utilize the custom processes of their own, there are so many industry organised and readily established methodologies which can be a great option for the organisation. The top four methods of pen testing are OSSTMM, OWASP, PTES and NIST.
The OSSTMM or Open Source Security Testing Methodology Manual, is one of the recognizable most pen testing methods in the industry (Rani and Nagpal, 2019). This is actually a peer reviewed method which is maintained by the Institute for Security and Open Methodologies (ISECOM). This method provides allowance to the organisations for tailoring the pen tests of them for their specific requirements while giving accessibility to the developers to more secured portions to the environment for development (Gluth et al., 2020). The OSSTMM also provides allowance to the companies in tailoring the pen testing to the for the specific requirements while proving accessibility to the developers to more secured portions of their environment for further development (Zhou et al., 2019). This method also contains checks for ensuring about the adherence to laws and regulations.
The Open Web Application Security Project or OWASP method of pen test is actually the set of guidelines and standards for the security of web applications as well as is often the beginning point for the IT personnel when venturing in to the realm of the pen test initially (Baloch, 2017). This methos can provide various resources of its own for improving the security posture of both external and internal web based applications through providing the a comprehensive list of vulnerabilities to the companies for web applications along with the methods of mitigating them (Zhu, 2017).
The Penetration Testing Execution Standard or PTES can provide a high level of overview about the pen testing. All the traditional steps like Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting, are included in PTES method.
There is another methodology called NIST which stands for National Institute of Standards and Technology. Basically, it is more of a security framework than the method of pen testing (Dieber et al., 2020). It can provide the baseline standards to configure the technologies along with the stakes within the environment that can be applied to pen testing.
Among all these methods OWASP method can be chosen for the next stage as that will be a great way for the organization for implementing the regular security assessments in to the organization. The feedback from security assessment can provide allowance in changing and adapting methods according to the results (Schwartz et al., 2020). When followed updated regularly and flexibility, pen testing methods work for those who utilize them as well as bring success and simplicity to the procedure of the organization of cyber security assessment.
Conclusion:
Thus, it can be concluded from the report that the legal and ethical aspects of penetration testing has been discussed in this paper. The methods of pen testing have also been compared with each other according to the requirement of the scenario. The comparison criteria have also been discussed and the methods have also been compared accordingly. Among all those methods OWASP method has been chosen and recommended for the next stage.
References:
Baloch, R., 2017. Ethical hacking and penetration testing guide. Auerbach Publications.
Christen, M., Gordijn, B. and Loi, M., 2020. The ethics of cybersecurity (p. 384). Springer Nature.
Davidson, C., Al-Baghdadi, T., Brown, M., Brennan, A., Knappett, J., Augarde, C., Coombs, W., Wang, L., Richards, D., Blake, A. and Ball, J., 2018. A modified CPT based installation torque prediction for large screw piles in sand. In Cone penetration testing 2018 (pp. 255-261). CRC Press.
Dieber, B., White, R., Taurer, S., Breiling, B., Caiazza, G., Christensen, H. and Cortesi, A., 2020. Penetration testing ROS. In Robot operating system (ROS) (pp. 183-225). Springer, Cham.
Gluth, G.J., Arbi, K., Bernal, S.A., Bondar, D., Castel, A., Chithiraputhiran, S., Dehghan, A., Dombrowski-Daube, K., Dubey, A., Ducman, V. and Peterson, K., 2020. RILEM TC 247-DTA round robin test: carbonation and chloride penetration testing of alkali-activated concretes. Materials and Structures, 53(1), pp.1-17.
Gluth, G.J., Arbi, K., Bernal, S.A., Bondar, D., Castel, A., Chithiraputhiran, S., Dehghan, A., Dombrowski-Daube, K., Dubey, A., Ducman, V. and Peterson, K., 2020. RILEM TC 247-DTA round robin test: carbonation and chloride penetration testing of alkali-activated concretes. Materials and Structures, 53(1), pp.1-17.
Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis and Impact of Vulnerability Assessment and Penetration Testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525-530). IEEE.
Lu, H.J. and Yu, Y., 2021. Research on wifi penetration testing with kali linux. Complexity, 2021.
Luswata, J., Zavarsky, P., Swar, B. and Zvabva, D., 2018, June. Analysis of scada security using penetration testing: A case study on modbus tcp protocol. In 2018 29th Biennial Symposium on Communications (BSC) (pp. 1-5). IEEE.
McKinnel, D.R., Dargahi, T., Dehghantanha, A. and Choo, K.K.R., 2019. A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Computers & Electrical Engineering, 75, pp.175-188.
McKinnel, D.R., Dargahi, T., Dehghantanha, A. and Choo, K.K.R., 2019. A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Computers & Electrical Engineering, 75, pp.175-188.
Rani, S. and Nagpal, R., 2019. Penetration testing using metasploit framework: An ethical approach. Int. Res. J. Eng. Technol, 6(8), pp.538-542.
Schwartz, J., Kurniawati, H. and El-Mahassni, E., 2020, June. Pomdp+ information-decay: Incorporating defender’s behaviour in autonomous penetration testing. In Proceedings of the International Conference on Automated Planning and Scheduling (Vol. 30, pp. 235-243).
Sina, B.J., 2019. Identifying the Efficacy of Various Penetration Testing Practices (Doctoral dissertation, Utica College).
Singh, A., Jaswal, N., Agarwal, M. and Teixeira, D., 2018. Metasploit Penetration Testing Cookbook: Evade antiviruses, bypass firewalls, and exploit complex environments with the most widely used penetration testing framework. Packt Publishing Ltd.
Zhang, N., Arroyo, M., Ciantia, M.O., Gens, A. and Butlanska, J., 2019. Standard penetration testing in a virtual calibration chamber. Computers and Geotechnics, 111, pp.277-289.
Zhou, T.Y., Zang, Y.C., Zhu, J.H. and Wang, Q.X., 2019. NIG-AP: a new method for automated penetration testing. Frontiers of Information Technology & Electronic Engineering, 20(9), pp.1277-1288.
Zhu, Z., 2017. Automated penetration testing for PHP web applications.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download