Hi, I do not know the difference between penetration testing and other forms of security testing. Could anyone experienced in that area tell me the differnces? I would really appreciate it. On the side note, is there any testing that simulates DoS? I do not know how to defend against it.
A:
Securing a computer system is not something that can be done effectively by a layperson.
If you are not willing to invest the time to gain a solid foundation in systems security, hire a reputable consultant and trust their advice.
Insecure systems are everywhere. For instance, almost every single for-pay Wifi hotspot in use at hotels, coffee shops, and the like can have their paywall circumvented by someone with sufficient skill. If you don't know what you're doing, you won't even be aware that the vulnerability exists at all.
Borealid
2010-07-24 23:33:28
Maybe the OP wants to learn and this question is a step towards knowledge?
Gert G
2010-07-24 23:37:26
@Gert G: But the question is an apples-and-oranges comparison asking to compare "security", a general field, with penetration testing, a method of revealing systems' vulnerabilities by playing the part of an attacker. If the OP actually wanted to learn, would they not have spent the two minutes necessary to find a definition of terms before asking SO for help?
Borealid
2010-07-25 03:15:54
@Borealid - In a perfect world people research before asking, but we're not there yet. ;)
Gert G
2010-07-25 11:09:59
@Borealid This guy doesn't speak English very well, there are a lot of people on SO like this. Its about trying to figure out their intent, not the actual word for word meaning.
Rook
2010-07-25 17:20:12
@The Rook: I can see where you're coming from. In this case, the way the question was worded tripped my "asker is not sufficiently knowledgeable to meaningfully understand an answer" sense. In the case of security, especially, I feel that giving someone an "easy answer" - a white lie, a Bohr-model explanation in an Oort-cloud world, might give them a false sense of confidence inciting them to do something poor. I feel that telling people "I can't answer your question until you know more" is better than giving them an answer of insufficient scope.
Borealid
2010-07-25 23:44:51
@Borealid I pointed him in the right direction. But I agree that no tool alone is going to help if you don't know what your doing. Pen testing takes real skill at the end of the day the masses will never obtain this skill no matter what they do.
Rook
2010-07-25 23:56:41
+4
A:
I am penetration tester, and i'm happy to answer this question.
Penetration testing is a usually a form of black box security testing. In a pen test you are trying to break into the server as many times as possible and report back on how they where able to break in. This is often done multiple times to make sure that the patches hold water. This is an important type of security testing because its as real world as it gets. Regular penetration testing is a requirement of the PCI-DSS. Common tools for web application penetration testing are Acunetix($), NTOSpider($$$), w3af(open source) and Wapiti(Open Source). For other types of penetration testing it is common to use Metasploit(open source), OpenVAS(open source), NMAP and THC-Hydra.
By contrast in it white box testing you have full access to the source code. You can enable drugging on the application to get better test results from scanners like Acuenetix. You can also use Source Code Analysis Tools such as RATS(Open Source) and Coverity($$$$$).
There are 2 different forms of Denial Of Service attacks. The most simple is a Distributed Denial of service attack in which the hacker is using a bot net to flood your server with traffic. This traffic could be an ICMP Ping, or even a simple HTTP GET request. Cisco has a number of very expensive products to help prevent this type of attack.
Another form of Denial Of Service is when there is a problem with the server its self. When this type of security flaws are found its often given a CVE number becuase it is a violation of CWE-400. This is commonly due to an arithmetic overflow or stack/heap based memory corruption (a buffer overflow or dangling pointer). To prevent these types of attacks you should make sure that your software is up to date. Its not often that an 0-day DoS attack is used in the wild.
Rook
2010-07-24 23:36:00
An excellent answer. Two comments:Penetration only occurs after development is complete. Due to the black-box nature, it reveals a narrow set of highly likely scenarios, but provides very poor "code coverage."Other forms of security testing (such as source code analysis, as mentioned) can take place during development. This means either developers, testers, or a security team can gather results prior to release and fix vulnerabilities earlier and cheaper. Often tools, logs or database access provide insight, allowing more nuanced vulnerabilities to be detected (such as race conditions).
Ben Walther
2010-07-26 13:57:35