Penetration Testing

What is a penetration test?

Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology (one man’s penetration test is another’s vulnerability audit or technical risk assessment).

At its simplest, a penetration-test (actually, we prefer the term security assessment) is the process of actively evaluating your information security measures. Note the emphasis on ‘active’ assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.

Why conduct a penetration test?

From a business perspective, penetration testing helps safeguard your organisation against failure, through:

* Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
* Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
* Protecting your brand by avoiding loss of consumer confidence and business reputation.

From an operational perspective, penetration testing helps shape information security strategy through:

* Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

What can be tested?

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:

* Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)
* Bespoke development (dynamic web sites, in-house applications etc.)
* Telephony (war-dialling, remote access etc.)
* Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
* Personnel (screening process, social engineering etc.)
* Physical (access controls, dumpster diving etc.)

What should be tested?

Ideally, your organisation should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven’t conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc.

Sometimes the ‘what’ of the process may be dictated by the standards that your organisation is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed.

Useful Links
Penetration Testing for Web Applications (Part One)

Penetration Testing for Web Applications (Part Two)

HP QuickTest Professional (Advanced) Training

HP QuickTest Professional software is advanced,automated testing software for building functional and regression test suites. It captures, verifies and replays user interactions automatically and helps testers quickly identify and report on application effects, while
providing advanced functionality for tester collaboration.

HP QuickTest Professional software provides functional and regression test automation for major software applications and environments, including next-generation
development technologies, such as Windows® Presentation Foundation, web services, Macromedia Flex, .NET, J2EE and ERP, and CRM applications.

HP QuickTest Professional offers a fresh approach to automated testing: it deploys the concept of keyword-driven testing to radically simplify test creation and maintenance. Using keyword capabilities, your testers can build test cases by capturing flows directly from the application screens and applying robust capturing technology (record/replay). In addition, your power users get full access to the underlying test and object properties through an integrated scripting and debugging environment that is synchronized with the Keyword View capability for your complete testing cycle.

With HP QuickTest Professional, your Quality Assurance (QA) organization can:
• Empower the entire team to create sophisticated test suites with less training
• Establish correct functionality across all environments, data sets and business processes
• Fully document and replicate defects for developers,helping them fix defects faster and meet production deadlines
• Easily regression test ever-changing applications and environments
•Deliver quality products and services and improve revenues and profitability
• Enable tester workgroups to share automated testing assets across teams.

HP QuickTest Professional software for Mobile

HP QuickTest Professional software for Mobile is a test-automation solution for applications running on Symbian OS, Windows Mobile® software and BREW mobile devices.

HP QuickTest Professional (QTP) software for Mobile
satisfies the needs of both technical and non-technical
users, enabling your company to deploy higher-quality
mobile applications faster, cheaper and with less risk.
HP QTP for Mobile enables the tester to connect, control
and display the phone software on his PC console and
perform a multitude of tests.

HP QTP for Mobile is based on the industry-leading
solution for functional and regression test automation for
every major software application and environment.
This next-generation automated testing solution deploys
the concept of keyword-driven testing to radically simplify
test creation and maintenance. With the unique keyworddriven
approach enabled by HP QTP for Mobile, test
automation experts have full access to the underlying
test and object properties via an integrated scripting
and debugging environment that is synchronized with the
keyword view.

With this product, your organization can achieve a
number of advantages:
• Empower the entire team to create sophisticated test
suites with less training.
• Fully document and replicate handset application
defects, enabling them to be fixed in line with
production deadlines.
• Easily perform regression testing in constantly
changing device and application environments.
• Verify correct end-to-end functionality from mobile
device to application server as well as from the
application server to the device scenarios.
• Perform testing that is currently extremely labor-intensive
or impossible—such as localization and
acceptance testing.
•Use real devices, not simulation or emulation, to test
the complexities of the radio network.

Figure : HP QTP for Mobile enables testers to connect, control and display the software from a device and perform a multitude of functional tests.

Features and benefits
• Enable greater return on investment through industry-leading user-interface and environment support.
• Operate the software stand-alone or integrated into HP Quality Center.
• Use next-generation, “zero-configuration” keyword-driven testing, allowing for fast test creation, easier maintenance and more powerful data driving capability.
• Gain quick value—testers familiar with the industry-leading HP QuickTest Professional for Mobile will have extremely efficient learning curves for the mobile version.
• Handle unforeseen application events with Recovery Manager,
facilitating 24x7 testing to meet test project deadlines.
• Use simple data input to drive any object definition, method,
checkpoint and output value via the Integrated Data Table.
• Provide a complete IDE environment for QA engineers.
• Rapidly isolate and diagnose defects with TestFusion reports.