The aim of this report is analysing the scenario for conducting penetration testing. The main purpose of this project is delivering a white box penetration testing. The client has asked for conducting penetration test against a web server as well as their relevant web application that is hosted on Amazon AWS (Toapanta et al., 2020). The legal and ethical aspects of penetration testing will be discussed and penetration testing methods will be also compared with each other so that the suitable one can be chosen.
Most of the businesses have gained bad reputation just by not following the legal and ethical aspects. The legal and ethical aspects of penetration testing are given as follows:
The pen testing, whether electronic or physical, carries with various degree of inherent legal risks. It is so much important for understanding about the relevant legislation as well as how it will affect the pen testers (Jaswal, 2018). Sometimes this is so easy to perform a perfect legal test for cross the line inadvertently in to questionable legal territory. Understanding the laws related to pen testing can ensure about that the system will not put in to a legally vulnerable position. The legislation that the relevant most to the pen tester can be found in the given acts of parliament like:
Regular use of penetration tests is key to the safety of any user or website owner. This practice provides a clear idea of the types of threats that can come from the outside world and which threats can cause enormous damage to an organization. There are certain vulnerabilities in the project of any user or site owner that allow hackers to take certain steps (Ibrahim and Kant, 2018). Penetration tests are some of the routine security checks that help the user or owner to detect vulnerabilities in their project so that hackers do not harm using those vulnerabilities. It is very important to carry out regular penetration tests to avoid any harm. The penetration testing is having the ability of delivering various results on the basis of that the methods and standards can leverage. The updated methods and standards of pen testing can provide a viable option for the organisations who is having the requirement for providing security to their system as well as fixing the vulnerabilities of cyber security (Han, Kheir and Balzarotti, 2017). In the next part the pen testing methods like OSSTMM, OWASP and PTES methods will be compared with each other. Mainly the methods will be compared according to their effectiveness and security purpose so that the existed vulnerabilities on the system can be listed and potential security measures can be taken.
Osstmm methodology in pen test: OSSTMM stands for Open Source Security Testing Methodology Manual. This OSSTMM is usually a peer-reviewed method that is used for safety testing (Halton et al., 2017). This procedure is usually administered by ISECOM. ISECOM stands for Institute for Security and Open Methodology. Usually, a safety audit method is created primarily to assess against regulatory and industry needs a purpose. However, this method is never considered a standalone method. This method was based on the development of an organization, which is suitable for regulations and structures. This and OSSTMM mythology rely entirely on the Pen Testing method. Once an organization is formed, it is imperative for the organization to work with a quality audit firm to move the company forward. In this case, before spending money in any sector, the company has to choose different methods to close its security loopholes. The company hires specialists to avoid such security loopholes. These security experts usually choose this and the OSSTMM method to avoid these types of security loopholes. Kirkpatrick Price is used to further improve the testing services of OSSTMM (Famuwagun, 2018). This Kirkpatrick Price is used because the results obtained from it can be thoroughly analyzed and because they are completely reliable and effective.
Owasp method in pen test: Penetration testing methods are usually used to evaluate a network or computer system. This method is used to determine if an attacker is taking advantage of a system’s vulnerabilities and to detect system vulnerabilities (Estebanell Castellví, 2020). This penetration testing method is a great way to get an idea of ??how much damage hackers can do to the system. And OWASP penetration testing is another advanced quality test that typically identifies the attacker’s vectors and vulnerabilities. Whether the security system is working properly in any organization is an essential issue and a penetration test confirms the survival of this system. This OWASP method works following the Broken Access Control method. This type of vulnerability is noticeable when an application does not properly check approval. This option identifies such vulnerabilities and closes that (Edström and Zeynalli, 2020). It is very important to keep any kind of data safe for future use. What is used in this case is that cryptography helps to encrypt public data. And this complete encryption method also falls under OWASP. Different applications do not work because they are not updated in time. This is not due to the preserved knowledge, but if the version migration is not correct and OWASP helps to fix this problem.
PTES method of Pen testing: The ‘penetration testing execution standard’ process is the most recent and comprehensive of all the current versions of penetration testing methods. This process was invented by data security practitioners to use an updated version of the penetration testing process (Burdzovic and Matsson, 2019). This method is commonly used to guide security professionals about security. The penetration test plays an important role in guiding business discussions and highlighting successful projects. PTES has usually divided into two parts and one part is completely dependent on the other (Bertoglio and Zorzo, 2017). One of the two parts is that the steps of this procedure are described using patent guidelines. And the second is to discuss in detail the techniques and tools used in each step. The first step in the whole process is investment interaction where before starting the process discuss the initial stages of the process and provide complete information about all the important issues. Helps to understand the general understanding and arrangement of each important assessment. As a result, there is no misunderstanding between the client and the penetration tester (Abad García, 2019). This section includes some of the special items that are discussed in detail, the most notable of which is Estimating Time and Budget. Also discuss media, event management, business rules, and regulations, Provide index numbers and transaction information with third parties (Agaiby and Mayne, 2018). The Intelligence Gathering System is considered to be the earliest stage of this whole PTS system.
Among all these methods OWASP method will be the suitable most as the method can describe the assessment of web based applications for doing the identification of vulnerabilities which have been identified in OWASP top 10 list (Brito and Perurena, 2021). The OWASP pen testing has been designed for identifying, safely exploiting as well as helping to address the vulnerabilities so that weaknesses can be discovered as well as they can be secured with proper mitigation methods.
Conclusion
Thus, it can be concluded that the project plan for performing penetration testing has been provided this paper by analysing the scenario of hosted server of Amazon AWS. The legal and ethical aspects of penetration testing has been provided and the pen testing methods like OWASP, OSSTMM and PTES has been discussed and compared with each other and lastly OWASP method has been recommended for the next stage.
References
Abad García, G., 2019. Online penetration testing laboratory.
Agaiby, S.S. and Mayne, P.W., 2018. Evaluating undrained rigidity index of clays from piezocone data. Cone Penetration Testing (Delft), pp.65-72.
Bertoglio, D.D. and Zorzo, A.F., 2017. Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), pp.1-16.
Brito, H.R.G. and Perurena, R.M., 2021. Riesgos de seguridad en las pruebas de penetración de aplicaciones web: Security risks in web application penetration testing. Revista Cubana de Transformación Digital, 2(2), pp.98-117.
Burdzovic, A. and Matsson, J., 2019. IoT Penetration Testing: Security analysis of a car dongle.
Edström, V. and Zeynalli, E., 2020. Penetration testing a civilian drone: Reverse engineering software in search for security vulnerabilities.
Estebanell Castellví, A., 2020. Penetration Testing Methodology for Internet of Things Devices (Master’s thesis, Universitat Politècnica de Catalunya).
Famuwagun, A., 2018. Penetration testing on DNS server: case Kali-Linux.
Halton, W., Weaver, B., Ansari, J.A., Kotipalli, S.R. and Imran, M.A., 2017. Penetration Testing: A Survival Guide. Packt Publishing Ltd.
Han, X., Kheir, N. and Balzarotti, D., 2017, October. Evaluation of deception-based web attacks detection. In Proceedings of the 2017 Workshop on Moving Target Defense (pp. 65-73).
Ibrahim, A.B. and Kant, S., 2018. Penetration testing using SQL injection to recognize the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), pp.5935-5942.
Jaswal, N., 2018. Mastering Metasploit: Take your penetration testing and IT security skills to a whole new level with the secrets of Metasploit. Packt Publishing Ltd.
Navarro, M.J., Guía del PMBOK para la gestión de pruebas de intrusión a aplicaciones web. PMBOK guide for web application penetration testing management.
Ojagbule, O., 2019. Security Analysis of the Internet of Things Using Digital Forensic and Penetration Testing Tools.
Ross, R., Baji, A. and Barnett, D., 2019. Inner profile measurement for pipes using penetration testing. Sensors, 19(2), p.237.
Toapanta, S.M.T., González, R.F.P., Espinoza, M.G.T. and Gallegos, L.E.M., 2020, December. Analysis of the Software Most Used by Hackers to Carry Out Penetration Testing in Public Organizations. In MLIS (pp. 107-114).
Wiedey, C., Becker, L. and Brix, T., Security Assessment of RESTful APIs through Automated Penetration Testing.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download