Understanding the Penetration Test Workflow: a security test with Tramonto in an e-Government application

Abstract

Security and privacy became vital to any of the current computational systems or applications. Particularly, investigating possible security issues - to mitigate possible data leaks or tampering - is an important step in the current software development. Currently, penetration tests (pentest) are performed to detect possible system flaws and to prevent/correct eventual security issues. However pentesting (the act of performing pentest) a system can be complex and hard to control. There are many activities throughout the pentesting process and it is common to find difficulties in controlling them. At the same time, it is not easy to determine precisely what activities will be performed, since each tester can follow a specific methodology or even use their own testing model. Based on the main security assessment test methodologies, we created a framework for penetration testing that aims to improve the test workflow in terms of management, organization, standardization, and flexibility. This framework is called Tramonto. This paper presents and discusses a pentest case study performed by a security company using the Tramonto framework. To present this case, we introduce the Tramonto-App, a software that was implemented using the definitions present in the Tramonto framework. Tramonto-App was designed to assist testers in penetration tests based on features that help to organize scripts, handle the testing workflow, and generate reports. As a result, the Tramonto-App resulted in a reduced number of pentesting problems and reduced (human) effort required to perform the penetration, allowing the tester to improve the quality of the Pentest.