Imagine that you’re an airline pilot on a trans-pacific flight. You’re thousands of miles from your destination when suddenly an alarm starts blaring in the cockpit, signaling you, your co-pilot, and the flight crew that one of the plane’s engines is failing due to an electrical issue. As you attempt to troubleshoot the issue, the alarm continues. Another engine has suddenly failed, leaving the plane with only 2 working engines of 4. As a pilot, you know that you have an hour or two at best before your plane drops to an altitude it can’t recover from, leading to an eventual crash landing somewhere in the middle of the Pacific Ocean. How could you and air traffic control possibly troubleshoot the plane’s engine issues and repair them in time to prevent an emergency landing over open water?
One way this could be prevented is through a “tiger team” of specialists who possess the technical knowledge and expertise to troubleshoot your plane’s engine issues from a remote location. Originally created during the fateful Apollo 13 mission of 1970, this first tiger team was able to troubleshoot a critical oxygen leak in the Apollo 13 vessel alongside the Apollo astronauts in order to prevent disaster and return the vessel’s crew safely back to Earth. Over the last 50 years, technology innovation has created an even more complex network of applications, supporting industries from space exploration to banking. Today, tiger teams are still utilized by companies in virtually every industry to identify, assess, and solve critical vulnerabilities. Today’s “tiger teams” are more commonly referred to as penetration testers, or “pentesters”.
What Is “Pentesting”?
Just like the original tiger team tasked to solve Apollo 13’s critical oxygen leak, the pentesters of today’s world are a team of technical specialists whose job is to purposely attack a software application, platform, and/or network for the purpose of identifying, assessing, and solving potential vulnerabilities in the software itself. These vulnerabilities are more commonly referred to as “bugs” or “glitches” in the software, which if left unchecked could pose security risks to users of the software.
Pentesting is typically conducted at the behest of an organization’s, company’s, or institution’s stakeholders who contract a team of third-party pentesters to assess the scope of testing. The pentesters leverage their expertise to attack the stakeholder’s software with the goal to find and analyze any potential exploits in the software which are then documented into a report and delivered to the stakeholders.
Though most pentesting generally follows the same rigorous methodology to ensure the thoroughness of the software being tested, the specific requirements and scope tend to vary depending on the particular group of stakeholders who request the testing to be done, their organization’s specific needs, and their goals.
Ultimately, the goal of each pentest should be to identify potential vulnerabilities in the software, from smaller “bugs” to larger and more critical/systematic vulnerabilities within the software’s code. Pentesters must rank the vulnerabilities found by the level of criticality and offer recommendations for remedy.
The Different Types of Pentesting
Whenever specialists refer to “pentesting” as a service, they can be referring to any of the following different “types” of pentesting:
- White-box testing: this is the sort of pentesting performed by NASA’s original tiger team on Apollo 13, where the team of pentesters is given full prior knowledge of the system they are entering as well as full access to the system’s code in order to perform a full on-site assessment.
- Grey-box testing: sometimes referred to as “credential-assisted black-box testing” where pentesters are provided some/minimal prior access and/or knowledge of the system they are attacking beforehand.
- Black-box testing: this type of pentesting requires pentesters to perform extra reconnaissance, as they are given no prior internal knowledge of the system they are purposely attacking in order to more closely mimic the potential behavior of malicious hackers who could exploit the system’s vulnerabilities.
- Red-Teaming/Blue-Teaming: while similar to traditional pentesting, this approach utilizes two separate teams that emulate malicious hackers (Red team) and harmonious defenders (Blue team). This is used more so as a long-term approach to pentesting, since it allows the Red team to emulate the methodology of known malicious attackers which can prod at a system’s defenses for weeks, months, or longer, while the Blue team works to defend against the Red team’s emulated attacks.
Each of the above types of pentesting simulations could use any combination of human pentesters and automated artificial intelligence (AI) programs to identify a broader range of vulnerabilities in a quicker frame of time. Utilizing a combination of human capital and machine learning/AI in pentesting also tends to provide a much more robust methodology in emulating the potential scope of malicious attacks, and has become more commonplace in stronger pentesting exercises in recent years through the advancement of pentesting AI toolkits.
Automation and Pentesting
The three most common types of AI that can be used in tandem with human pentesters are:
- Scanners: automated machine tools that autonomously scroll through a software system’s internal code to scout for potential vulnerabilities and identify them, but do not attempt to exploit any uncovered vulnerabilities in the system.
- Static Application Security Testing (SAST): sometimes referred to as “static analysis”, SAST is most often used in White-box pentesting to identify any vulnerabilities in a software system’s internal code before the code is finalized. This is most commonly used in softwares that are not yet commercialized or released for public or mass-internal use.
- Dynamic Application Security Testing (DAST): where SAST is often used in White-box testing, DAST is most commonly used in Black-box testing of a web application’s front-end, allowing both human pentesters and AI to work together to perform more thorough and sophisticated attacks on a software system’s code to better emulate the behavior and methods of a malicious hacker or attack.
These examples of AI, while extremely helpful when placed in the hands of a skilled pentester or team of technical pentester professionals, are limited in their standalone performance. These sorts of scanners can sometimes provide false positives in the vulnerabilities they identify and are commonly unable to detect vulnerabilities in software systems that arise as a result of flaws or misconfigurations in the system’s design code.
Ultimately, just as the skill sets and toolkits used by NASA’s original “tiger team” have evolved over the past 50 years, the methodology, skills, and tools used by both pentesters and malicious hackers will continue to evolve in the coming years. As the technology we use every day becomes more commonplace and complex simultaneously, so too must the skills and tools used by pentesters in order to best protect the data we place into software applications and platforms online.
Seemant Sehgal is the Founder & CEO of BreachLock Inc. – the world’s first AI-powered full stack and SaaS-enabled Penetration Testing as a Service. Since 2019 BreachLock has quickly emerged as a market disrupter in the traditionally human dependent Penetration Testing market.