Risks of Penetration Testing

770
Chapter 17 
■
Preventing and Responding to Incidents
to check for the response. It is possible for a fuzz tester to send a stream of data that causes 
a buffer overfl ow and locks up an application, but testers don’t know that will happen until 
they run the fuzz tester. Experienced penetration testers can minimize the risk of a test 
causing damage, but they cannot eliminate the risk. 
Whenever possible, testers perform penetration tests on a test system instead of a live 
production system. For example, when testing an application, testers can run and test the 
application in an isolated environment such as a sandbox. If the testing causes damage, 
it only affects the test system and does not impact the live network. The challenge is that 
test systems often don’t provide a true view of a production environment. Testers may be 
able to test simple applications that don’t interact with other systems in a test environment. 
However, most applications that need to be tested are not simple. When test systems are 
used, penetration testers will often qualify their analysis with a statement indicating that 
the test was done on a test system and so the results may not provide a valid analysis of the 
production environment.

Download 19,3 Mb.

Do'stlaringiz bilan baham: