Page 1234 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1234
production environment. Testers may be able to test simple
applications that don’t interact with other systems in a test
environment. However, most applications that need to be tested are
not simple. When test systems are used, penetration testers will often
qualify their analysis with a statement indicating that the test was
done on a test system and so the results may not provide a valid
analysis of the production environment.
Obtaining Permission for Penetration Testing
Penetration testing should only be performed after careful
consideration and approval of senior management. Many security
professionals insist on getting this approval in writing with the risks
spelled out. Performing unapproved security testing could cause
productivity losses and trigger emergency response teams.
Malicious employees intent on violating the security of an IT
environment can be punished based on existing laws. Similarly, if
internal employees perform informal unauthorized tests against a
system without authorization, an organization may view their actions
as an illegal attack rather than as a penetration test. These employees
will very likely lose their jobs and may even face legal consequences.
Penetration-Testing Techniques
It is common for organizations to hire external consultants to perform
penetration testing. The organization can control what information
they give to these testers, and the level of knowledge they are given
identifies the type of tests they conduct.
Chapter 20, “Software Development Security,” covers
white-box testing, black-box testing, and gray-box testing in the
context of software testing. These same terms are often associated
with penetration testing and mean the same thing.
Black-Box Testing by Zero-Knowledge Team A zero-knowledge
team knows nothing about the target site except for publicly available
information, such as a domain name and company address. It’s as if
