This note explains various penetration tests and what they assess within an organization’s IT environment. It highlights the importance of understanding the scope of each test and provides examples.
Network Infrastructure Tests
This focuses on evaluating the security of network devices like firewalls, routers, and switches. It also assesses authentication, authorization, and accounting (AAA) servers, and Intrusion Prevention Systems (IPS). Additionally, wireless network assessments might be included to check for vulnerabilities in WLAN security and signal strength.
Application-Based Tests
This type of pen test targets security weaknesses within applications used by an organization. It identifies vulnerabilities like misconfigurations, input validation issues, injection flaws, and logic flaws in both the application itself and its underlying database. The Open Web Application Security Project (OWASP) is a valuable resource for understanding common application security risks.
Penetration Testing in the Cloud
This involves testing the security posture of cloud environments offered by providers like Azure, AWS, and GCP. It’s crucial to understand the shared responsibility model where security responsibility is divided between the cloud provider and the organization.