Penetration testing
Summarize
Summary of Penetration testing
Penetration testing in Application Vulnerability Response allows application owners to manually assess their application's security posture through ethical hacking. This process involves requesting, conducting, and resolving penetration test assessments to identify vulnerabilities and improve application security.
Show less
Roles Required
- App-Sec Manager: Includes security managers and application owners responsible for managing penetration testing assessment requests with specific roles for request management and reading application and configuration data.
- Ethical Hacker: Members of the ethical hacking team who perform the penetration testing and manage manual findings, assignments, and testing configurations. They have roles allowing them to update, manage, and read relevant penetration testing data.
Penetration Testing Life Cycle
- Requesting Assessment: Application owners can request penetration tests either through the service catalog (pre-v19.0) or directly via the Penetration Test Assessment Requests module (v19.0 and later).
- Reviewing Requests: The ethical hacking team reviews and scopes the request, adding it to their backlog.
- Preparing Environment: The ethical hacking team requests an appropriate testing environment from the application owner, who provides access and notifies the team when ready.
- Testing and Reporting: Ethical hackers perform manual penetration tests, create Application Vulnerable Items (AVIs) as findings, and define remediation SLAs with target dates. Application owners review these findings and assign fixes to their teams.
- Fixing and Validating: Application teams fix the vulnerabilities, after which the ethical hacking team manually validates and closes the findings.
Additional Information
- Penetration test findings are manually-created AVIs and remediation target rules do not apply to them.
- The ethical hacking team can maintain a reusable library of Application Vulnerability Entries (AVEs) to streamline reporting.
- Starting with version 19.0, penetration assessments from Veracode Vulnerability Integration are manual findings not linked to Application Vulnerability Response penetration test requests.
- Use the Application Vulnerability Management Performance Analytics (PA) dashboard to track penetration test findings and monitor progress.
Penetration testing in Application Vulnerability Response enables application owners to assess the security posture of their application. It is the manual testing of an application by the ethical hacking team.
Roles required
Penetration testing requires the following roles:
App-Sec Manager: Contains security managers and application owners who manage the penetration testing assessment requests. It contains the following granular roles:
- sn_vul.app_manage_pen_test_request
- sn_vul.app_read_all
- cmdb_read
Ethical Hacker: Contains members of the ethical hacking team who perform penetration testing of applications. It includes the following granular roles:
- sn_vul.app_update_assignment_group
- sn_vul.app_update_assigned_to
- sn_vul.app_manage_manual_avits
- sn_vul.app_manage_pen_test_request_config
- itil
- sn_vul.app_read_all
- sn_vul.app_manage_pen_test_request
- sn_vul.app_update_state
For more information about these roles, see Application Vulnerability Response user groups and roles.
Starting with v19.0 of Vulnerability Response, if you are using the Veracode Vulnerability Integration, the penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. They are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test assessments from Veracode, see the Veracode Vulnerability Integration.
Life cycle of penetration testing
As an application owner, you can request the ethical hacking team for a penetration test assessment of your application. The ethical hacking team acts on this request and creates penetration test findings. These findings are manually-created Application Vulnerable Items (AVIs).
The penetration testing workflow covers the penetration testing life cycle from raising the testing request to resolving the findings of the ethical hacking team.
Requesting a penetration test assessment
Starting with v19.0, you can create new requests or copy existing requests at .
Prior to v19.0, as the application owner, you can request a penetration test assessment for your application using the ITSM service catalog.
Reviewing the penetration test assessment request
The ethical hacking team reviews and assesses the application and the scope of the penetration test assessment request, and adds it to the existing backlog.
Preparing an environment
The ethical hacking team then sends a request to the application owner to provide an environment for them to start testing. Once the environment is ready, the application owner informs the ethical hacking team.
For more information about configuring test requests, see Configure penetration testing.
Testing and reporting the penetration test findings
The ethical hacking team can create a library of Application Vulnerability Entries (AVEs) and reuse them while reporting the AVIs. They can also track the status of the penetration test findings.
Fixing and validating the penetration test findings
After the penetration test findings are fixed and resolved by the application team, the fixes are validated manually and closed by the ethical hacking team.
Application Vulnerability Management reports
Use the reports available on the Application Vulnerability Management PA dashboard to track the penetration test findings.