Towards side-effects-free database penetration testing

Penetration testing is one of the most traditional and widely used techniques to detect security flaws in systems by conducting simulated-attacks to the target systems. Organizations can develop a tool based on this technique to assess their own security systems or use third party softwares. However, besides its advantages in exploring real security vulnerabilities without false results, this technique might leave side effects for the target systems such as incomplete testing, time consuming, disclosed sensitive information, etc. if it is used unwarily. Therefore, the penetration testers or the testing providers need a methodology in order for the test to be carried out more effectively in the security environment, and more importantly, make trust for the organizations as their systems will be verified. In this paper, we propose an extended and specific methodology for side-effects-free penetration testing in detection of database security flaws. In addition, based on this methodology, the proposed system architecture for a penetration testing tool to detect database security flaws in the secure environment, which is implemented in Oracle Database Server 10g/11g, will consolidate the applicability and effectiveness of our proposed methodology.