Three areas to concentrate your security testing efforts

Senior IT security specialists, Jakub Kałużny and Mateusz Olejarka, outline the finer points behind security testing and what activities this might involve.

Can you define security testing and what it involves?

Jakub and Mateusz : Security testing is a process which aims to find weaknesses in security mechanisms of a system or an application which may be exploited by a potential attacker.

Our security testing methodology involves three main parts:
i. threat modeling – a session performed with your customer’s business and technical representatives to identify possible risks related to a system or an application, as well as, to create a test plan with possible attack scenarios;
ii. penetration testing – technical attempts to break the security as well as an evaluation of each scenario; and
iii. vulnerability assessment – with complementary recommendations for mitigation.

Following the “least privilege principle” may be a valuable start – minimising the number of attack vectors is a good path.

The idea behind these three processes is to focus your technical security testing where it counts, and to finish your work with a report, which does not leave hundreds of false-positives1 for your client to solve. Penetration testing can also be augmented by code review performed either during or after the penetration testing process.

For organisations that are new to security testing, what are three areas that they should concentrate their security testing efforts in and why so?

Jakub and Mateusz : Security testing can be performed on many different levels. You could start at the physical security and access to servers, through the network and application level, and end with testing employee security awareness.

Firstly, I would advise concentrating on low-hanging fruits which do not require much effort from a potential attacker and are also the weakest element of the whole security landscape.

It is also important to focus on securing unprotected administrative interfaces available from public internet, fixing web application vulnerabilities, restricting unnecessary user permissions, and trying to prevent or minimise risk of malware infection from malicious attachments sent to employees.

Following the “least privilege principle”2 may be a valuable start – minimising the number of attack vectors is a good path. We believe that network and application level security testing is a must but we also recommend security awareness training for employees – especially those who are not technically minded.

In the IT security world, an object classified as “secure” can change to “vulnerable” in less than a minute – that’s why we have to be up-to-date or we are out-of-business.

How do you ensure that your security testing efforts are up-to-date?

Jakub and Mateusz : Of course, we follow the latest IT security news, industry press and researchers’ blogs. We also do our own research and publish it at conferences. During our assessments, we often talk to people directly involved in defending their companies from attacks. We exchange information about new threats and gather knowledge. We actively support the local chapter of OWASP – Open Web Application Security Project – a non-profit organisation and community which creates methodologies, documentation and tools for security testing.

In the IT security world, an object classified as “secure” can change to “vulnerable” in less than a minute – that’s why we have to be up-to-date or we are out-of-business.

Can you identify the different types of threats which can be used to take advantage of security vulnerabilities?

Jakub and Mateusz : To concentrate our efforts in a good direction, during our assessments, we try to identify actors, who can try to attack a system depending on project specifics. We classify attackers as script kiddies, opportunist hackers or APT (Advanced Persistent Threat3) groups.

Script kiddies just run scanners and exploit for known vulnerabilities and that’s why you must have up-to-date systems. APT groups have enough time and resources to break more sophisticated systems, and you will have to introduce military-level security to protect against APT. Opportunist hackers are, more or less, qualified specialists who encounter vulnerabilities and try to exploit them. It is, therefore, for good reason, that you perform regular security tests so as to not give them an easy job.

Ethical hacking refers to hacking performed by a company or an individual to help identify potential threats on a computer or network. A penetration test, however, is an attack on a computer system with the intention to find security loopholes, potentially gain access to it, its functionality and data. What is the difference, if any, between the two?

Jakub and Mateusz : Penetration testing is a simulation of an attack on a test object (network, system, application) with the aim of finding vulnerabilities which can lead to objects being compromised (network intrusion, system access, application database extracted). The scope depends on how it is defined by your customer. It is very similar to a real attack.

There are three levels of knowledge we can possess during a penetration test:
i. black box (no knowledge except materials that are publicly accessible about the target);
ii. grey box (it is the most popular case – we have some internal information about the target); and
iii. white box (full knowledge, source code access, full documentation and all our questions answered).

Whenever we can, we try to use a grey box approach. Our experience shows that this is the best solution in terms of a balance between the cost of the penetration testing (less time-consuming and therefore, cheaper) and the results (more accurate testing and more vulnerabilities found).

It, of course, requires more resources on your customer’s side because someone needs to be available to answer your questions.

We truly agree with OpenSAMM (Security Assurance Maturity Model).

Ethical hacking, in our opinion, is a much wider term. The objects to test can be much broader. For example, a whole company and its aim can be strictly defined (steal money, gain access to data). It can contain penetration testing activities as a way to achieve the goal, as well as other methods, such as white intel, social engineering and code review.

Can you provide one tip as to how to begin putting together a security testing and vulnerability management plan?

Jakub and Mateusz : Each system is different. That’s why we suggest starting with profound threat modeling. This session should be performed with both business and technical representatives of your client and an IT security consultant.

Putting together business risks, a technical overview and possible threats, we come up with a good plan as to where to find vulnerabilities and what should be primarily protected. We truly agree with OpenSAMM (Security Assurance Maturity Model). The first basic activities in the area of security testing should be penetration testing on software releases and deriving test cases from known security requirements. For vulnerability management, OpenSAMM suggests creating an informal security response team and a point of contact for security issues.

Jakub Kaluzny







Jakub Kałużny is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He is a speaker at many international conferences including OWASP AppSec EU, PHdays, CONFidence, HackInTheBox AMS, BlackHat Asia as well as local security events. Jakub previously worked for the European Space Agency and an internet payments intermediary. Apart from testing applications, he digs into proprietary network protocols, embedded devices and other enterprise solutions. Jakub is based in Poland.


Mateusz Olejarka







Mateusz Olejarka is a Senior IT Security Consultant at SecuRing. His key responsibilities are web and mobile application penetration testing, network infrastructure security assesment and source code review. Mateusz was previously a software developer building software for the financial sector. He is a regular speaker at Polish conferences and meetings dedicated to quality assurance and security. He has been a board member of the OWASP Poland local chapter since 2011 and is a co-organiser of chapter meetings. Mateusz is based in Poland.


1 false-positives – in binary classification, a false positive is an error in data reporting in which a test result improperly indicates presence of a condition, such as a vulnerability (the result is positive), when in reality it is not, while a false negative is an error in which a test result improperly indicates no presence condition (the result is negative), when in reality it is present. Reviewing false positives is a very time-consuming process as it has to be addressed manually.

2 least privilege principle” – in information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a programme depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

3 Advanced Persistent Threat – An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organisations and/or nations for business or political motives. APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack.


Further reading

Padlock 2 image courtesy Saavem@freeimages.com

There are no comments

Add yours

This site uses Akismet to reduce spam. Learn how your comment data is processed.

freshmail.com powered your email marketing