Isn't "Penetration Testing" the same thing as "Vulnerability Scan" anyway?
Penetration testing and vulnerability scanning are different applications.Vulnerability Scan includes quick checks with automated vehicles. No work is carried out on the exploitation or different point effects of the openings detected after the vulnerability screening.
In addition to vulnerability screening, the Penetration Test includes the verification of the scan results, the exploitation of the vulnerabilities found and the detection of different vulnerabilities with new analyzes on the systems, and also the examination of the vulnerabilities arising from business logic.
Which assets should an organization have tested under ISO/IEC 27001?
The institution is required to have a penetration test for all its assets written in the "Asset Inventory". Institutional; server systems, network components, web applications, mobile applications are examples of these assets.
The criterion to be considered at this point is whether the existing assets are the responsibility of the institution. For example, if applications that the organization has developed and transferred to a customer are no longer under the responsibility of the institution, penetration testing is not required for them.
When all assets are considered for penetration testing, is there a very high cost? How can this be alleviated?
At this point, the "vulnerability screening" method may come to the rescue. If the institution conducts vulnerability screening instead of penetration testing for assets with low criticality levels, it will have taken a basic measure at a lower cost.
In addition, in systems that are logged in with a user account, removing the post-"login" stages from the scope of the test will reduce the test cost. Although it is useful to test the post-login stages, a cost calculation can be made in this way in order to test the anonymous part of the application in the first stage.
Another practice that will reduce the cost of penetration testing work is to have maximum cooperation with the test team in the testing process. In this process, giving direct access to the systems to be tested will prevent the test team from losing time during the exploration and access to the systems, which will reduce the cost.
What does penetration testing in accordance with ISO/IEC 27001 mean?
ISO/IEC 27001 does not provide or recommend any penetration testing methodology. In this context, the use of the term "ISO 27001 compliant penetration test" is generally seen as correct.
In order to understand the subject, the following regulations, methodologies or guidelines can be given as examples of different uses that this phrase is compatible with?
- PCI DSS compliant penetration testing
- ISSAF compliant penetration testing
- OWASP compliant penetration testing
[Source: Published by BTUYUM on October 9, 2021]