
	Home > Ask the Security Experts > Platform Security Questions & Answers > What are the pros and cons of zero-knowledge penetration tests?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What are the pros and cons of zero-knowledge penetration tests?

EXPERT RESPONSE FROM: Michael Cobb, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 29 May 2008
What are the pros and cons of penetration tests where the tester has zero knowledge of the website being tested? And should testers ideally have zero knowledge (to better simulate an attacker's mindset)?

Zero knowledge in the context of a penetration test on a website means that the penetration tester is told very little about the target, maybe as little as its URL, thereby simulating real-world attackers.

While it can be helpful, perhaps in the context of budgeting and office politics, to present your boss with a report that proves even someone who has no inside knowledge of the new website can hack into it, I have several reservations about the zero-knowledge approach. We know that a certain percentage of attacks are going to come from inside the network perimeter, or from the outside with insider help. If you want to know how secure your site is across all real-world scenarios, zero knowledge is not necessarily the best starting point.

A zero-knowledge approach also has the potential drawback of being slower to return results. If you describe some of the basics of your system to the tester beforehand, it can save time, and time is often tight when a new product is being rolled out. One important variable here is the status of the target: is it in production or in development? When testing a production system, you may want testers to let you know about a gaping hole as soon as it is discovered, rather than waiting until the final report. Provided the contract with the tester is appropriately worded, you may be able to patch the hole and get the patch tested. Indeed, some would argue that treating a pen-test as an iterative improvement in security is better bang for the buck.

Finally, whether you choose to proceed from a zero-knowledge starting point, remember that you can't truly replicate the real world without breaking the law. You must assume your attackers are prepared to commit illegal acts to achieve their ends, but few organizations are in a position to give their pen-testers a get-out-of-jail-free card. So, you will want your pen-tester to be able to think like a criminal hacker and document for you those methods of penetrating the system that rely on illegal acts.

The bottom line is that the real world and a pen-test are two different things, and your security money may be best spent having seasoned security experts explore the potential vulnerabilities of your product while armed with plenty of knowledge about it, rather than setting up unrealistic testing scenarios.

More information:

Get advice on how to use penetration testing to help with compliance efforts.
Social engineering testing and penetration testing: Learn how they mix.

BROWSE BY TAG

Platform Security, Application and Platform Security, Enterprise Vulnerability Management, Security Testing and Ethical Hacking, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Platform Security
	What patch management metrics does Project Quant use?
	Should developers create libraries of common cryptographic algorithms?
	How to secure USB ports on Windows machines
	What is the best database patch management process?
	What is an encryption collision?
	What are new and commonly used public-key cryptography algorithms?
	Should management processes change based on a patch release schedule?
	Does an EULA make it truly illegal to decompile software?
	Should businesses delay Windows Vista adoption and just buy Windows 7?
	Why should we place data files on a separate partition than the OS?

Security Testing and Ethical Hacking

H.D. Moore speaks about Metasploit Project deal, Release 3.3

Could Metasploit popularity erode?

Metasploit Project acquired by vulnerability management firm Rapid7

Should management processes change based on a patch release schedule?

Does an EULA make it truly illegal to decompile software?

Screencast: BackTrack 4 offers an arsenal of penetration testing tools

Security testing firm uncovers XML vulnerabilities

Screencast: Samurai offers pen-testing nirvana

The requirements needed to make an external penetration test legal

McAfee to acquire Solidcore Systems for whitelisting

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

Cyber Storm (SearchSecurity.com)

ethical hacker (SearchSecurity.com)

ethical worm (SearchSecurity.com)

gray hat (SearchSecurity.com)

honey pot (SearchSecurity.com)

honeynet (SearchSecurity.com)

war dialer (SearchSecurity.com)

white hat (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy