Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Network Vulnerability Assessment

You're reading from   Network Vulnerability Assessment Identify security loopholes in your network's infrastructure

Arrow left icon
Product type Paperback
Published in Aug 2018
Publisher
ISBN-13 9781788627252
Length 254 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Sagar Rahalkar Sagar Rahalkar
Author Profile Icon Sagar Rahalkar
Sagar Rahalkar
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Vulnerability Management Governance FREE CHAPTER 2. Setting Up the Assessment Environment 3. Security Assessment Prerequisites 4. Information Gathering 5. Enumeration and Vulnerability Assessment 6. Gaining Network Access 7. Assessing Web Application Security 8. Privilege Escalation 9. Maintaining Access and Clearing Tracks 10. Vulnerability Scoring 11. Threat Modeling 12. Patching and Security Hardening 13. Vulnerability Reporting and Metrics 14. Other Books You May Enjoy

Industry standards

When it comes to the implementation of security controls, we can make use of several well-defined and proven industry standards. These standards and frameworks provide a baseline that they can be tailored to suit the organization's specific needs. Some of the industry standards are discussed in the following section.

Open Web Application Security Project testing guide

OWASP is an acronym for Open Web Application Security Project. It is a community project that frequently publishes the top 10 application risks from an awareness perspective. The project establishes a strong foundation to integrate security throughout all the phases of SDLC.

The OWASP Top 10 project essentially application security risks by assessing the top attack vectors and security weaknesses and their relation to technical and business impacts. OWASP also provides specific instructions on how to identify, verify, and remediate each of the vulnerabilities in an application.

Though the OWASP Top 10 project focuses only on the common application vulnerabilities, it does provide extra guidelines exclusively for developers and auditors for effectively managing the security of web applications. These guides can be found at the following locations:

The OWASP top 10 list gets revised on a regular basis. The latest top 10 list can be found at: https://www.owasp.org/index.php/Top_10_2017-Top_10.

Benefits of the framework

The following are the key features and benefits of OWASP:

  • When an application is tested against the OWASP top 10, it ensures that the bare minimum security requirements have been met and the application is resilient against most common web attacks.
  • The OWASP community has developed many security tools and utilities for performing automated and manual application tests. Some of the most useful tools are WebScarab, Wapiti, CSRF Tester, JBroFuzz, and SQLiX.
  • OWASP has developed a testing guide that provides technology or vendor-specific testing guidelines; for example, the approach for the testing of Oracle is different than MySQL. This helps the tester/auditor choose the best-suited procedure for testing the target system.
  • It helps design and implement security controls during all stages of development, ensuring that the end product is inherently secure and robust.
  • OWASP has an industry-wide visibility and acceptance. The OWASP top 10 could also be mapped with other web application security industry standards.

Penetration testing execution standard

The penetration testing execution standard (PTES) was created by of the brightest minds and definitive experts in the penetration testing industry. It consists of seven phases of penetration testing and can be used to perform an effective penetration test on any environment. The details of the methodology can be found at: http://www.pentest-standard.org/index.php/Main_Page.

The seven stages of penetration testing that are detailed by this standard are as follows (source: www.pentest-standard.org):

  1. Pre-engagement interactions
  2. Intelligence gathering
  3. Threat modeling
  4. Vulnerability analysis
  5. Exploitation
  6. Post-exploitation
  7. Reporting

Each of these stages is provided in detail on the PTES site along with specific mind maps that detail the steps required for each phase. This allows for the customization of the PTES standard to match the testing requirements of the environments that are being tested. More details about each step can be accessed by simply clicking on the item in the mind map.

Benefits of the framework

The following are the key features and benefits of the PTES:

  • It is a very thorough penetration testing framework that covers the technical as well as operational aspects of a penetration test, such as scope creep, reporting, and safeguarding the interests and rights of a penetration tester
  • It has detailed instructions on how to perform many of the tasks that are required to accurately test the security posture of an environment
  • It is put together for penetration testers by experienced penetration testing experts who perform these tasks on a daily basis
  • It is inclusive of the most commonly found technologies as well as ones that are not so common
  • It is simple to understand and can be easily adapted for security testing needs
You have been reading a chapter from
Network Vulnerability Assessment
Published in: Aug 2018
Publisher:
ISBN-13: 9781788627252
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime