In the past, the importance of information security was not known by everyone. But today it is seen that a market is formed for taking security precautions. It has been observed that there will be a change in many aspects of information security acording to the Law on the Protection of Personal Data, No. 6698, which was started to be implemented on 7 April 2018 in our country. But what should be the starting point of this? Of course it would be best to start with the security tests for that work. Penetration test or other known names of pentest or penetration testing is a very important scanning and vulnerability detection tool that includes many tests.

Social engineering, network security, ddos ​​tests, Internet application tests, etc. in many areas by the testing of information technology experts, security clearances to determine the most common means of protection and openness analysis is one of the tools. In particular, through in-depth scanning through internal systems, a clear picture of the state of the information security against cyber attacks of vulnerable systems that can be clearly exposed to openness can be taken. however, there are 2 important elements that should not be forgotten here. The first element is that the tests are directed to the needs of the institutions. The second factor is that security experts should be selected in the most appropriate way for the tests to be carried out, and the quality of the team that will perform the penetration tests rather than the company will be appropriate.

Penetration tests to improve security are only the first dimension of the job. However, it should be noted that the next phase will be more challenging. It is also important to close the openings as a result of security tests. Because security tests only allow security vulnerabilities to be known, but this does not mean that they are closed.

Let's examine the details of some penetration tests. In some cases, tests can be in the form of a 3-step test. These gradual tests, called black box, gray box or white box tests, are tests that vary according to the amount of information provided to the security professional. For example, tests made without any information in the information security tests, black box, all information (passwords and other information) tests are provided by the white box tests. As can be understood from its color, gray box tests are called tests that are neither complete nor incomplete.

Another issue that needs to be known is the continuity of the tests performed. Changing conditions, new situations added, some errors made or elapsed times can make a system vulnerable again. Therefore, it is necessary to repeat these tests and to ensure continuity in certain periods. Experts and published publications recommend that these tests be performed externally at least once a year and that an eye condition is observed outside the enterprise.

Penetration tests are not a security solution or a physical protection system. Therefore, you cannot do the measurement of the received service by looking at the number of weaknesses found. Therefore, the detailed report of the service received and, if necessary, the details of a final session meeting should be questioned and examined. Another issue is that the external pentest service is not carried out with the same firm or the same expert. As the expedition passes, one of the aims of the external eye is lost. In order to prevent this, a company change is required / recommended in two years.

The ISO 27001 information security standard and 6698 numbered personal data protection law (KVKK for short), which have been mandatory in our country in recent years, require security tests. No matter whether it is a necessity or not, penetration tests are the security sibobud of information security.

These tests carried out by people who are expressed as hackers in white hats and the services provided should be carried out by highly qualified persons. Therefore, providing services by these people who have many years of experience gained leads to an increase in costs. However, companies that want to get this service want to receive this service as cheap way. Therefore, it is desirable to make economic service reasonable, while compromising on quality may result in inadequate service. Therefore, it is important to examine the price * performance balance and to touch it carefully before the critical decision is made.

Another concept that is often confused with the penetration test by people is vulnerability analysis. The vulnerability analysis is a more in-depth analysis than a security test. In particular, the assessment of vulnerability analysis of Information Technology products is presented within the common criteria assessment as defined by ISO. The safety of the product under the ISO 15408 standard is certified at the end of a successful evaluation process.

After the security tests are completed, the openings are evaluated according to the criticality of the relevant openings. After the completion of all measures, the security screening to be performed again, in other words, verification tests will ensure that the service is completed.

Security tests can be carried out in accordance with a certain rule or may be diversified by tests conducted by some testers. However, it is important to ensure that the existing systems are not harmed and that the situation before starting the tests is kept constant. In security tests, the purpose is to exploit the openings rather than to break the system and to report the findings. Then the system should be restored to its original state and left in its original form.

There is no specific and single standard security test reporting. Some authorities have suggestions for various contents to be included in the report.

The technical side of the assessment is only half of the overall evaluation process. The final product is the production of a well-written and informative report. A report should be easy to understand and highlight all the risks involved in the evaluation phase. The report should address both executive and technical staff.

According to OWASP test reporting it is recommended to have the following sections.

1. Executive Summary

The Executive summary summarizes the overall findings of the assessment and gives business managers and system owners a high-level view of the identified vulnerabilities. The language used should be more appropriate to technically unknown persons and should include graphs or other graphs showing the level of risk. Keep in mind that administrators will probably have time to read this summary and ask two questions to be answered in plain language: 1) What is the problem? 2) How can I fix this?

The executive summary should clearly state that openings and severity are not an outcome or an improvement of the organizational risk management process, but an input. If the vulnerability has been used, it is the safest method to explain whether the test device does not understand the threats faced by the organization or business results. This is the task of the risk professional who calculates the risk level based on this and other information.

2. Test Parameters

The introduction should summarize the security test's parameters, findings and improvement. Some recommended chapter headings include:

2.1 Project Objective: This section summarizes the project objectives and the expected outcome of the assessment.

2.2 Scope of Project: This section summarizes the scope agreed on.

2.3 Project Schedule: This section summarizes when the test started and when it was completed.

2.4 Objectives: This section lists the number of applications or targeted systems.

2.5 Restrictions: This section summarizes each limitation encountered during the assessment. For example, limitations of project-oriented tests, limitation of security testing methods, performance or technical problems encountered during the evaluation of the test, and so on.

2.6 Findings Summary: This section summarizes the security vulnerabilities discovered during the test.

2.7 Recovery Summary: This section summarizes the action plan for correcting vulnerabilities identified during the test.

3. Findings

The last part of the report contains detailed technical information about the vulnerabilities found and the actions required to resolve them. This chapter is intended for a technical purpose and should include all the information necessary for technical teams to understand and resolve the matter. Each finding should be clear and concise and provide a complete understanding of the subject to the reader.

The Findings section should include:

a) Screen shots and command lines showing which tasks are performed during the execution of the test case
b) Affected item
c) Technical description of the problem and the affected function or object
d) A section on solving the problem
e) Severity