ANALYSIS OF THE TECHNOLOGIES OF WEB-APPLICATIONS PENETRATION TESTING

Abstract

The paper analyzes the technology of penetration testing, used for detecting the vulnerabilities in
web-applications. White box, grey box and black box methods are considered, each of these methods has its unique approaches and advantages in revealing the vulnerabilities . Standards OSSTMM, NIST, OWASP, PTES and ISAAF are considered in detailed, each of these standards provides its methodologies and recommendations for penetration test. For instance, OSSTMM, is international technology, which suggests the division into three main classes of safety and describes in details the procedures of preparation for testing. NIST is focused on planning, execution and post-operation, underlying the importance of collecting information at planning stage. OWASP stresses the need of the safety testing at each stage of the software development, PTES gives practical recommendations regarding each of seven stages of the penetration test. ISAAF suggests a three-phase approach, including planning, testing and formation of the report. Besides, the paper studies the frameworks Mitre ATT&CK, CIS Controls and Cyber Kill Chain, which help the organizations understand and counteract the cyberattacks. Mitre ATT&CK is known for its wide coverage of attacks and deep analysis of the tactics and methods of the attacks. CIS Controls is concentrated on specific security controls, which can be directly applied for systems protection, and Cyber Kill Chain provides structural approach to the analysis and prevention of cyber attacks. The paper also contains recommendations, regarding the implementation and usage of modern penetration testing techniques for the improvement of the information systems security. Results of the research can be useful for cybersecurity specialists and developers of web-applications, they will help understand better and implement the efficient methods of cybersecurity.