What is it?
Automated Penetration Testing is a way of testing a computer system, software application or a web application to potentially reveal any vulnerabilities in an application. These vulnerabilities could be exploited if a person with the right set of skills were to find them before us. They could use these vulnerabilities to disrupt, shut down or gain access to an application. Penetration testing is often referred to as white hat attacks because they are being run by "the good guys."
An automated penetration tester will gather information about an application and run a number of tests against it. The tests that are run against a system will help point out any weaknesses in an application and return results to the team working on the project. The results from the tests are reviewed by the engineers working on the project. If there are weaknesses found, the engineer will take these results and implement fixes to mitigate the vulnerabilities. It is critical that the tests be run when new features are added or before a new application is ready for production.
Smart Software Solutions employs Jenkins, a continuous integration environment, with all of our projects. Every time a developer commits a modification to a project, Jenkins builds the project and runs associated tests. Failure for tests to perform as expected alerts the development team.
We utilize an in-house developed penetration tester as part of all our testing cycles to ensure common vulnerabilities are tested for, and addressed. As new threats are discovered, we incorporated them into our penetration tester so that all of our active projects can be retested.
A couple of the tests that run include the SQL injection and Cross Site Scripting tests. A SQL injection is where a potential attacker will inject SQL statements into a form that will attempt to manipulate a database. Exploiting a vulnerability such as this can range from a whole database being wiped clean to an attacker gaining access to sensitive data. Another major test is cross site scripting. If not handled properly, it could potentially enable an attacker to inject client-side scripts into web pages viewed by other users. This can range from minor nuisances to major security risks. That will depend on the sensitivity of the data being handled, but every site is important and should be protected.