Pen Testing -> blackbox, graybox or crystalbox?
Seeing as we as application builders spend quite a lot of time on building our applications, it is logical that we test a lot as well. Ofcourse we have the OTA, and Agile is also used as a basis. And then yay…there’s another production release (P)…and then the dangers of the unknown begin.
Our applications are then integrated in to a complete network, where it runs alongside all other applications. This usually falls under “external” network and application management, with Security currently high on the list of priorities.
The security within companies is often put to the test by the so-called pen tests.
It turns out however that one pen test isn’t necessarily on the same level as another pen test, even though a thing or two have been laid down procedurally in the CCV quality mark for pen testing.
Only this says nothing about what exactly needs to be investigated, the provability of the research or the reproducibility of all steps. Moreover the question: should our customers do a port scan, blackbox, graybox or crystalbox pen test or do they hire a complete hacker team?
I can remember clearly when 10 years ago, we were called by one of our larger customers that, at the time, our Apache web server failed the tests and that the plug was pulled from TSMS, boy what a stress. Since then, our customers continuously test our security and we are quite up-to-date. We are very grateful to our customers for sharing their knowledge, skills, registrations and advice to keep our security up-to-date.
Recently we were called by a customer who had done some pen testing; the application had a vulnerability. It turned out to have something to do with a service and something with a space in it, without any “ around it. Whether we could change this urgently? Of course we do just that and we immediately thank our customer! When we asked around whether other suppliers also had these kinds of problems, we were told with a laugh that there was a similar problem somewhere in Microsoft… you can already guess that they were not called.
Read more about this in an article of Brenno de Winter (Dutch) : Een diepe duik in de wereld van pentests