This article provides background information on penetration test-ing processes and practices. It then discusses the issues related to integrating penetration testing into a software development life cycle by describing the pit-falls associated with traditional penetration testing practices as well as making recommendations for improving these practices. A related article describes types and examples of penetration testing tools.
Today’s software penetration testing tools, practices, and (to some degree) staff have been developed and improved for an IT Security user base, primarily. However, to effectively make use of these elements in a software development environment takes careful thought and clear goals.
For example, most existing penetration testing tools and services offer a fairly rigid technology-centric perspective of their respective findings. This is in stark contrast with the software security touchpoints recommended here on the BSI portal, where a more business risk approach is stressed. The business and archi-tectural risk analysis process should serve as a prioritization input to penetration (and other security) testing processes. However, that is not generally what hap-pens in today’s environment [Arkin 2005, Janardhanudu 2005, Michael 2005].
To get around this, and to get closer to the practices discussed here on BSI, this document provides a description of and recommendations for a penetration test-ing process and methodology that is more suited to the needs of software devel-opers than is typically found today.
Additionally, the document provides both a conceptual as well as a more specific survey of the tools available today for conducting penetration testing. This tool survey is then balanced against the need for trained, skilled, and highly motivat-ed testing staff. Staff training is addressed and compared against mentoring or apprenticeship types of on the job training processes.