Continuous Penetration Testing Service Development

Description

Cyber Intelligence House has been looking into and developing a Continuous Penetration Testing service as part of their Cyber Exposure Monitoring service portfolio. Being referred to as Situational Awareness (SA), the service would allow clients to learn and find out more about their company’s security posture at any given time. The penetration testing would be done to continuously monitor the vulnerabilities on the client’s end and keep them updated regarding it. The objective of this service is to help companies, to prevent compromising their data due to a vulnerability that could have newly emerged after the client decides to implement new features or modification to their system.

The Continuous Penetration Testing development project is a joint project that consists of four members – Teo You Xiang, Nur Shahidah Binte Imran, Ashruf Ali Naaazneen Ashfur and Jani Kirmanen,. Three of which are Intern Students and one is a full-time working staff in the company.

Responsibility

The team was required to perform gray-box Web Application Penetration Testing (WAPT) on the domains belonging to a client of Cyber Intelligence House, hereafter known as ‘Client XYZ’ for confidentiality purpose. Client XYZ is an airline company that was already subscribed to the Cyber Exposure Monitoring service. When CIH proposed the service to them, Client XYZ agreed to it and thus, is co-developing the service with CIH by allowing their domains to be tested using the service.

Client XYZ gave CIH 10 domains to be tested. 3 of the domains were already tested by the project manager alone before he decided to form a team to make the testing much more efficient. The domains that were given are in use by the client’s web and mobile applications – XYZ Mobile Application, XYZ Web Application, XYZBook Mobile Application, and XYZBook Web Application.

Purpose

The purpose of this assignment is for the team of penetration testers to perform Web Application Penetration Testing (WAPT) on Client XYZ’s seven domains. By performing WAPT, the team is to find any vulnerabilities that might exist and pose a threat to the client’s business services and to find so before any malicious entity have the opportunity to discover and exploit it. After the discovery and exploitation of the vulnerabilities, the team is required to document all findings and include remediations for the vulnerabilities. This report would be used by the client to improve their security posture.

In addition to that, this project also aims to equip and train the penetration testing team at CIH with the necessary knowledge and skills required to perform penetration testing services to clients. By doing so, CIH would have in-house penetration testers and wouldn’t have the need to outsource and find testers. Having well trained penetration testers would also mean that the continuous penetration testing development project can be developed with ease and eventually be implemented into the Monitoring Dashboard.

Knowledge & Skills

- Web Application Penetration Testing
- Information Security
- Report Writing


Reflection

This assignment provided numerous opportunities for the student to experience an industry standard web application penetration testing exercise. Being able to perform WAPT exercise on seven domains allowed the student to apply and practice her knowledge and skills on penetration testing which she acquired during her polytechnic education. Despite all the lab exercises that she performed in school, she realized that out in the real world, WAPT exercises are not very straight forward and are actually quite difficult. The penetration testing cases that the student had experience with in school was very different to the industry ones in terms of the penetration testing process and simplicity.

The student feels that the knowledge and skills that she had worked on and picked up along the course of this assignment would be extremely beneficial for her in the long run. Being able to work with professional from the industry also allowed her to ask questions and clarify any doubts that she had. In addition to that, she received several useful tips and knowledge from him.

During times when the student could not progress any further, her teammates were extremely patient with her and guided her through the exercise. They were very patient when it comes to addressing any mistakes made by the student and always viewed each action as a learning experience for the next exercise. The positive minded people that the student had the opportunity to work with, made this assignment very smooth sailing for her.

In addition to the technical knowledge and skills, the student could also improve her soft skills such as communication, teamwork, team management and research work. This project required a lot of communication among the team members and with the client. When technical issues or doubts occurred, instead of making assumptions, the penetration testers had to convey their thoughts and suspicions to the rest to hear their opinion. In addition, during times of conflict of interest, the penetration testers had to talk it out to each other instead of just ignoring the problem. Each exercise, the penetration testers would take turns leading the team in terms of task delegation of the work (testing on which features, domains etc.), report writing and time management. Being able to manage the team and ensure that work was submitted on time was a skill that the student had from her polytechnic days of doing projects, but the experience she had during her internship was very different. For starters, instead of doing it for a grade, the penetration testers had to do it with the security and well-being of the client in mind. Last but not least, research work. There were often times where the penetration testers had to deal with application types and technical terms that they had no prior knowledge of. Thus, it was vital for the penetration testers to constantly read up and research on the various types of vulnerabilities, tools and exploits so that the knowledge can be used during the actual WAPT exercise.



Gallery


Team Members

Penetration Tester
Ashruf Ali Naazneen Ashfur
ISF
Performed Web Application Penetration Testing exercises on client domains