Overview and open issues on penetration test

Springer Science and Business Media LLC - Tập 23 - Trang 1-16 - 2017
Daniel Dalalana Bertoglio1, Avelino Francisco Zorzo1
1Pontifical Catholic University of RS (PUCRS), Porto Alegre, Brazil

Tóm tắt

Several studies regarding security testing for corporate environments, networks, and systems were developed in the past years. Therefore, to understand how methodologies and tools for security testing have evolved is an important task. One of the reasons for this evolution is due to penetration test, also known as Pentest. The main objective of this work is to provide an overview on Pentest, showing its application scenarios, models, methodologies, and tools from published papers. Thereby, this work may help researchers and people that work with security to understand the aspects and existing solutions related to Pentest. A systematic mapping study was conducted, with an initial gathering of 1145 papers, represented by 1090 distinct papers that have been evaluated. At the end, 54 primary studies were selected to be analyzed in a quantitative and qualitative way. As a result, we classified the tools and models that are used on Pentest. We also show the main scenarios in which these tools and methodologies are applied to. Finally, we present some open issues and research opportunities on Pentest.

Tài liệu tham khảo

Lam K, LeBlanc D, Smith BI (2004) Assessing network security. Redmond, Wash. Microsoft Press, Washington. Kizza JM (2010) Guide to computer network security. Springer, London. Zhao JJ, Zhao SY, Zhao SY (2010) Opportunities and threats: a security assessment of state e-government websites. Gov Inf Q 27(1): 49–56. Whitaker A, Newman D (2005) Penetration testing and Cisco network defense. Cisco Press, Indianapolis. Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling intrusion detection system using hybrid intelligent systems. J Netw Comput Appl 30(1): 114–132. Henry KM (2012) Penetration testing: protecting networks and systems. IT Governance Publishing, UK. Petersen K, Feldt R, Mujtaba S, Mattsson M (2008) Systematic mapping studies in software engineering In: Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering. EASE’08, 68–77.. British Computer Society, Swinton. Mirjalili M, Nowroozi A, Alidoosti M (2014) A survey on web penetration test. Adv Comput Sci Int J3(6): 107–121. Al-Ghamdi ASA-M (2013) A survey on software security testing techniques. Int J Comput Sci Telecommun 4: 14–18. Bishop M (2007) About penetration testing. IEEE Secur Priv 5(6): 84–87. Geer D, Harthorne J (2002) Penetration testing: a duet In: Proceedings of the 18th Annual Computer Security Applications Conference, 185–195.. IEEE. Kitchenham B, Charters S (2007) Technical report title: Guidelines for performing Systematic Literature Reviews in Software Engineering, EBSE 2007-001. Keele University and Durham University Joint Report. Austin A, Holmgreen C, Williams L (2013) A comparison of the efficiency and effectiveness of vulnerability discovery techniques. Inf Softw Technol 55(7): 1279–1288. Khoury N, Zavarsky P, Lindskog D, Ruhl R (2011) An analysis of black-box web application security scanners against stored sql injection In: IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third International Conference on Social Computing (SocialCom), 1095–1101.. IEEE. Xu D, Tu M, Sanford M, Thomas L, Woodraska D, Xu W (2012) Automated security test generation with formal threat models. IEEE Trans Dependable Secure Comput 9(4): 526–540. Fong E, Gaucher R, Okun V, Black PE, Dalci E (2008) Building a test suite for web application scanners In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences, 478–478.. IEEE. Avramescu G, Bucicoiu M, Rosner D, Tapus N (2013) Guidelines for discovering and improving application security In: Proceedings of the 2013 19th International Conference on Control Systems and Computer Science. CSCS ’13, 560–565.. IEEE Computer Society, Washington. Walden J (2008) Integrating web application security into the it curriculum In: Proceedings of the 9th ACM SIGITE Conference on Information Technology Education SIGITE ’08, 187–192.. ACM, New York. Mink M, Freiling FC (2006) Is attack better than defense? teaching information security the right way In: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. InfoSecCD ’06, 44–48.. ACM, New York,. Armando A, Carbone R, Compagna L, Li K, Pellegrino G (2010) Model-checking driven security testing of web-based applications In: Third International Conference on Software Testing, Verification, and Validation Workshops (ICSTW), 361–370.. IEEE. Garn B, Kapsalis I, Simos DE, Winkler S (2014) On the applicability of combinatorial testing to web application security testing: a case study In: Proceedings of the 2014 Workshop on Joining AcadeMiA and Industry Contributions to Test Automation and Model-Based Testing. JAMAICA 2014, 16–21.. ACM, New York. Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron Notes Theor Comput Sci 302: 133–154. Büchler M, Oudinet J, Pretschner A (2012) Semi-automatic security testing of web applications from a secure model In: IEEE Sixth International Conference on Software Security and Reliability (SERE), 253–262.. IEEE. Liu B, Shi L, Cai Z, Li M (2012) Software vulnerability discovery techniques: a survey In: Proceedings of the 2012 Fourth International Conference on Multimedia Information Networking and Security. MINES ’12, 152–156.. IEEE Computer Society, Washington. Igure VM, Williams RD (2008) Taxonomies of attacks and vulnerabilities in computer systems. IEEE Commun Surv Tutorials 10(1): 6–19. Leibolt G (2010) The complex world of corporate CyberForensics investigations. Humana Press, New York. Fonseca J, Vieira M, Madeira H (2010) The web attacker perspective—a field study In: ISSRE ’10 Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering, 299–308.. IEEE. Prandini M, Ramilli M (2010) Towards a practical and effective security testing methodology In: ISCC ’10 Proceedings of the The IEEE Symposium on Computers and Communications, 320–325.. IEEE, doi:10.1109/ISCC.2010.5546813. Badawy MA, El-Fishawy N, Elshakankiry O (2013) Vulnerability scanners capabilities for detecting windows missed patches: comparative study In: Advances in Security of Information and Communication Networks: First International Conference, SecNet 2013, Cairo, Egypt, September 3-5, 2013. Proceedings, 185–195.. Springer, Berlin, doi:10.1007/978-3-642-40597-6_16. Curphey M, Arawo R (2006) Web application security assessment tools. IEEE Secur Priv 4(4): 32–41. doi:10.1109/MSP.2006.108. Huang YW, Lee DT (2005) Web application security—past, present, and future In: Computer Security in the 21st Century, 183–227.. Springer, Boston, doi:10.1007/0-387-24006-3_12. Doupé A, Cova M, Vigna G (2010) Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA’10, 111–131.. Springer, Berlin. Awang NF, Manaf AA (2015) Automated security testing framework for detecting SQL injection vulnerability in web application(Jahankhani H, Carlile A, Akhgar B, Taal A, Hessami AG, Hosseinian-Far A, eds.). Springer, Cham. Antunes N, Vieira M (2015) Assessing and comparing vulnerability detection tools for web services: benchmarking approach and examples. IEEE Trans Serv Comput 8(2): 269–283. Mendes N, Durães J, Madeira H (2011) Benchmarking the security of web serving systems based on known vulnerabilities In: 5th Latin-American Symposium on Dependable Computing, LADC 2011, 25-29 April 2011, 55–64.. IEEE, São José Dos Campos. Antunes N, Laranjeiro N, Vieira M, Madeira H (2009) Effective detection of SQL/XPath injection vulnerabilities in web services In: IEEE International Conference on Services Computing, 2009. SCC ’09, 260–267.. IEEE. Mainka C, Somorovsky J, Schwenk J (2012) Penetration testing tool for web services security In: SERVICES ’12 Proceedings of the 2012 IEEE Eighth World Congress on Services, 163–170.. IEEE. Antunes N, Vieira M (2016) Designing vulnerability testing tools for web services: approach, components, and tools. Int J Inf Secur: 1–23. http://link.springer.com/article/10.1007/s10207-016-0334-0. Benkhelifa E, Welsh T (2013) Security testing in the cloud by means of ethical worm In: 2013 IEEE Globecom Workshops (GC Wkshps), 500–505.. IEEE. Hsu Y, Shu G, Lee D (2008) A model-based approach to security flaw detection of network protocol implementations In: IEEE International Conference on Network Protocols, 2008. ICNP 2008, 114–123.. IEEE. Bechtsoudis A, Sklavos N (2012) Aiming at higher network security through extensive penetration tests. IEEE Lat Am Trans 10(3): 1752–1756. Sarraute C, Richarte G, Lucángeli Obes J (2011) An algorithm to find optimal attack paths in nondeterministic scenarios In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence. AISec ’11, 71–80.. ACM, New York. Shen L, Liang X, Bo Y, Xia C (2011) Automatic generation for penetration testing scheme analysis model for network In: ICCIS ’11 Proceedings of the 2011 International Conference on Computational and Information Sciences, 821–826.. IEEE. Bou-Harb E, Debbabi M, Assi C (2014) Cyber scanning: a comprehensive survey. IEEE Commun Surv Tutorials 16(3): 1496–1519. Kasinathan P, Pastrone C, Spirito MA, Vinkovits M (2013) Denial-of-service detection in 6LoWPAN based Internet of Things In: IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), 600–607.. IEEE. Xing B, Gao L, Zhang J, Sun D (2010) Design and implementation of an XML-based penetration testing system In: International Symposium on Intelligence Information Processing and Trusted Computing (IPTC), 224–229.. IEEE. McLaughlin S, Podkuiko D, Miadzvezhanka S, Delozier A, McDaniel P (2010) Multi-vendor penetration testing in the advanced metering infrastructure In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC ’10, 107–116.. ACM, New York,. Traore MD, Jin H, Zou D, Qiang W, Xiang G (2011) Rapn: Network attack prediction using ranking access petri net In: Sixth Annual Chinagrid Conference (ChinaGrid), 108–115.. IEEE. Jajodia S, Noel S, O’Berry B (2005) Topological analysis of network attack vulnerability In: Managing cyber threats: issues, approaches, and challenges, 247–266.. Springer, Boston. Blackwell C (2014) Towards a penetration testing framework using attack patterns In: Cyberpatterns: unifying design patterns with security and attack patterns, 135–148.. Springer, Cham, doi:10.1007/978-3-319-04447-7_11. Vegendla A, Søgaard TM, Sindre G (2016) Extending HARM to make test cases for penetration testing(Krogstie J, Mouratidis H, Su J, eds.). Springer, Cham. Masood R, Um-e-Ghazia, Anwar Z (2011) SWAM: Stuxnet worm analysis in metasploit In: 2011 Frontiers of Information Technology, FIT 2011, Pakistan, December 19-21, 2011, 142–147.. IEEE, Islamabad. Holm H, Sommestad T, Almroth J, Persson M (2011) A quantitative evaluation of vulnerability scanning. Inf Manag Compute Secur 19(4): 231–247. Holik F, Horalek J, Marik O, Neradova S, Zitta S (2014) Effective penetration testing with metasploit framework and methodologies In: IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI), 237–242.. IEEE. Tondel IA, Jaatun MG, Jensen J (2008) Learning from software security testing In: IEEE International Conference on Software Testing Verification and Validation Workshop, 2008. ICSTW ’08, 286–294.. IEEE. Sandouka H, Cullen AJ, Mann I (2009) Social engineering detection using neural networks In: Proceedings of the 2009 International Conference on CyberWorlds. CW ’09, 273–278.. IEEE Computer Society, Washington. Ridgewell WW, Kumar V, Kinshuk (2013) Immersive and authentic learning environments to mitigate security vulnerabilities in networked game devices In: Proceedings of the 2013 International Conference on Signal-Image Technology & Internet-Based Systems. SITIS ’13, 1042–1048.. IEEE Computer Society, Washington. Somorovsky J, Mayer A, Schwenk J, Kampmann M, Jensen M (2012) On breaking SAML: be whoever you want to be In: Proceedings of the 21st USENIX Conference on Security Symposium. Security’12, 21–21.. USENIX Association, Berkeley. Dimkov T, van Cleeff A, Pieters W, Hartel P (2010) Two methodologies for physical penetration testing using social engineering In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC ’10, 399–408.. ACM, New York, doi:10.1145/1920261.1920319. Stepien B, Peyton L, Xiong P (2012) Using TTCN-3 as a modeling language for web penetration testing In: IEEE International Conference on Industrial Technology (ICIT), 674–681.. IEEE, doi:10.1109/ICIT.2012.6210016. Caselli M, Kargl F (2016) A security assessment methodology for critical infrastructures(Panayiotou CG, Ellinas G, Kyriakides E, Polycarpou MM, eds.). Springer, Cham. Line MB, Jaatun MG, Cheah ZB, Faruk ABMO, Garnes HH, Wedum P (2008) Penetration testing of OPC as part of process control systems In: Ubiquitous Intelligence and Computing: 5th International Conference, UIC 2008, Oslo, Norway, June 23-25, 2008 Proceedings, 271–283.. Springer, Berlin. Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets In: Proceedings of the Fourth IEEE International Workshop on Information Assurance. IWIA ’06, 157–168.. IEEE Computer Society, Washington. Khoury N, Zavarsky P, Lindskog D, Ruhl R (2011) Testing and assessing web vulnerability scanners for persistent SQL injection attacks In: Proceedings of the First International Workshop on Security and Privacy Preserving in e-Societies. SeceS ’11, 12–18.. ACM, New York. Williams GP (2012) Cost effective assessment of the infrastructure security posture In: 7th IET International Conference on System Safety, incorporating the Cyber Security Conference, 1–6.. IET. Hertzog P (2010) OSSTMM—Open Source Security Testing Methodology Manual. Institute for Security and Open Methodologies (ISECOM), Barcelona. http://www.isecom.org/osstmm. ISSAF (2006) Information Systems Security Assessment Framework Open Information Systems Security Group. OISSG. PTES (2012) Penetration testing execution standard. http://www.pentest-standard.org. Stouffer K, Falco J, Scarfone K (2008) NIST SP 800-115: technical guide to information security testing and assessment. National Institute of Standards and Technology, Maryland. Meucci M, Muller A (2014) OWASP testing guide V.4. 4th edn. OWASP Foundation, USA. (2005) An annotated review of past papers on attack graphs, ESC-TR-2005-054. Massachusetts Institute of Technology - Lincoln Laboratory. Avgerinos T, Cha SK, Rebert A, Schwartz EJ, Woo M, Brumley D (2014) Automatic exploit generation. Commun ACM 57(2): 74–84. Hossen K, Groz R, Oriat C, Richier JL (2013) Automatic generation of test drivers for model inference of web applications In: Softw Testing Verification Validation Workshop IEEE Int Conf, 441–444, doi:10.1109/ICSTW.2013.57. Felderer M, Schieferdecker I (2014) A taxonomy of risk-based testing. Int J Softw Tools Technol Transfer 16(5): 559–568. Botella J, Legeard B, Peureux F, Vernotte A (2014) Risk-based vulnerability testing using security test patterns(Margaria T, Steffen B, eds.). Springer, Berlin. Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner In: Proceedings of the 21st USENIX Conference on Security Symposium. Security’12, 26–26.. USENIX Association, Berkeley. Bouquet F, Peureux F, Ambert F (2014) Model-based testing for functional and security test generation(Aldini A, Lopez J, Martinelli F, eds.). Springer, Cham. Duchene F, Rawat S, Richier JL, Groz R (2014) Kameleonfuzz: evolutionary fuzzing for black-box XSS detection In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. CODASPY ’14, 37–48.. ACM, New York,. Godefroid P, Levin MY, Molnar D (2012) Sage: whitebox fuzzing for security testing. Queue 10(1): 20–202027. McAllister S, Kirda E, Kruegel C (2008) Leveraging user interactions for in-depth testing of web applications(Lippmann R, Kirda E, Trachtenberg A, eds.). Springer, Berlin. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) Secubat: a web vulnerability scanner In: Proceedings of the 15th International Conference on World Wide Web. WWW ’06, 247–256.. ACM, New York,. Huang YW, Huang SK, Lin TP, Tsai CH (2003) Web application security assessment by fault injection and behavior monitoring In: Proceedings of the 12th International Conference on World Wide Web. WWW ’03, 148–159.. ACM, New York. Sekar R (2009) An efficient black-box technique for defeating web application attacks In: Network and Distributed System Security Symposium (NDSS).. The Internet Society, Geneva. Milenkoski A, Payne BD, Antunes N, Vieira M, Kounev S, Avritzer A, Luft M (2015) Evaluation of intrusion detection systems in virtualized environments using attack injection(Bos H, Monrose F, Blanc G, eds.). Springer, Cham. Bertoglio DD, Zorzo AF (2016) Tramonto: Uma estratégia de recomendações para testes de penetração In: XVI Simpósio Brasileiro de 1315 Segurançã da Informação e Sistemas Computacionais (SBSeg 2016).. SBC, Porto Alegre.