What is Penetration Testing and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

Table of Contents

What are the benefits of penetration testing?
How much access is given to pen testers?
What are the phases of pen testing?
What are the types of pen testing?
What are the types of pen testing tools?
How does pen testing differ from automated testing?
What are the pros and cons of pen testing?
What to read next

Definition

A penetration test (pen test) is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system. Penetration tests usually simulate a variety of attacks that could threaten a business. They can examine whether a system is robust enough to withstand attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system.

What are the benefits of penetration testing?

Ideally, software and systems were designed from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well that aim was achieved. Pen testing can help an organization

Find weaknesses in systems
Determine the robustness of controls
Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)
Provide qualitative and quantitative examples of current security posture and budget priorities for management

Penetration Testing: A Buyer's Guide

This guide details the benefits of pen testing, what to look for in a pen testing solution, and questions to ask potential vendors.

Download the guide

How much access is given to pen testers?

Depending on the goals of a pen test, testers are given varying degrees of information about, or access to, the target system. In some cases, the pen testing team takes one approach at the start and sticks with it. Other times, the testing team evolves its strategy as its awareness of the system increases during the pen test. There are three levels of pen test access.

Opaque box. The team doesn’t know anything about the internal structure of the target system. It acts as hackers would, probing for any externally exploitable weaknesses.
Semi-opaque box. The team has some knowledge of one or more sets of credentials. It also knows about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.
Transparent box. Pen testers have access to systems and system artifacts including source code, binaries, containers, and sometimes even the servers running the system. This approach provides the highest level of assurance in the smallest amount of time.

What are the phases of pen testing?

Pen testers simulate attacks by motivated adversaries. To do this, they typically follow a plan that includes the following steps:

Reconnaissance. Gather as much information about the target as possible from public and private sources to inform the attack strategy. Sources include internet searches, domain registration information retrieval, social engineering, nonintrusive network scanning, and sometimes even dumpster diving. This information helps pen testers map out the target’s attack surface and possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test; it can be as simple as making a phone call to walk through the functionality of a system.
Scanning. Pen testers use tools to examine the target website or system for weaknesses, including open services, application security issues, and open source vulnerabilities. Pen testers use a variety of tools based on what they find during reconnaissance and during the test.
Gaining access. Attacker motivations can include stealing, changing, or deleting data; moving funds; or simply damaging a company’s reputation. To perform each test case, pen testers determine the best tools and techniques to gain access to the system, whether through a weakness such as SQL injection or through malware, social engineering, or something else.
Maintaining access. Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals of exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact.

What are the types of pen testing?

A comprehensive approach to pen testing is essential for optimal risk management. This entails testing all the areas in your environment.

Web apps. Testers examine the effectiveness of security controls and look for hidden vulnerabilities, attack patterns, and any other potential security gaps that can lead to a compromise of a web app.
Mobile apps. Using both automated and extended manual testing, testers look for vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Server-side vulnerabilities include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities.
Networks. This testing identifies common to critical security vulnerabilities in an external network and systems. Experts employ a checklist that includes test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, and more.
Cloud. A cloud environment is significantly different than traditional on-premises environments. Typically, security responsibilities are shared between the organization using the environment and the cloud services provider. Because of this, cloud pen testing requires a set of specialized skills and experience to scrutinize the various aspects of the cloud, such as configurations, APIs, various databases, encryption, storage, and security controls.
Containers. Containers obtained from Docker often have vulnerabilities that can be exploited at scale. Misconfiguration is also a common risk associated with containers and their environment. Both of these risks can be uncovered with expert pen testing.
Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as medical devices, automobiles, in-home appliances, oil rig equipment, and watches have unique software testing requirements due to their longer life cycles, remote locations, power constraints, regulatory requirements, and more. Experts perform a thorough communication analysis along with a client/server analysis to identify defects that matter most to the relevant use case.
Mobile devices. Pen testers use both automated and manual analysis to find vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Vulnerabilities in application binaries can include authentication and authorization issues, client-side trust issues, misconfigured security controls, and cross-platform development framework issues. Server-side vulnerabilities can include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities.
APIs. Both automated and manual testing techniques are used to cover the OWASP API Security Top 10 list. Some of the security risks and vulnerabilities testers look for include broken object level authorization, user authentication, excessive data exposure, lack of resources / rate limiting, and more.
CI/CD pipeline. Modern DevSecOps practices integrate automated and intelligent code scanning tools into the CI/CD pipeline. In addition to static tools that find known vulnerabilities, automated pen testing tools can be integrated into the CI/CD pipeline to mimic what a hacker can do to compromise the security of an application. Automated CI/CD pen testing can discover hidden vulnerabilities and attack patterns that go undetected with static code scanning.

What are the types of pen testing tools?

There is no one-size-fits-all tool for pen testing. Instead, different targets require different sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration of the network. Broadly speaking, the types of pen testing tools fit into five categories.

Reconnaissance tools for discovering network hosts and open ports
Vulnerability scanners for discovering issues in-network services, web applications, and APIs
Proxy tools such as specialized web proxies or generic man-in-the-middle proxies
Exploitation tools to achieve system footholds or access to assets
Post exploitation tools for interacting with systems, maintaining and expanding access, and achieving attack objectives

How does pen testing differ from automated testing?

Although pen testing is mostly a manual effort, pen testers do use automated scanning and testing tools. But they also go beyond the tools and use their knowledge of the latest attack techniques to provide more in-depth testing than a vulnerability assessment (i.e., automated testing).

Manual pen testing

Manual pen testing uncovers vulnerabilities and weaknesses not included in popular lists (e.g., OWASP Top 10) and tests business logic that automated testing can overlook (e.g., data validation, integrity checks). A manual pen test can also help identify false positives reported by automated testing. Because pen testers are experts who think like adversaries, they can analyze data to target their attacks and test systems and websites in ways automated testing solutions following a scripted routine cannot.

Automated testing

Automated testing generates results faster and needs fewer specialized professionals than a fully manual pen testing process. Automated testing tools track results automatically and can sometimes export them to a centralized reporting platform. Also, the results of manual pen tests can vary from test to test, whereas running automated testing repeatedly on the same system will produce the same results.

What are the pros and cons of pen testing?

With the frequency and severity of security breaches increasing year after year, organizations have never had a greater need for visibility into how they can withstand attacks. Regulations such as PCI DSS and HIPAA mandate periodic pen testing to remain current with their requirements. With these pressures in mind, here are some pros and cons for this type of defect discovery technique.

Pros of pen testing

Finds holes in upstream security assurance practices, such as automated tools, configuration and coding standards, architecture analysis, and other lighter-weight vulnerability assessment activities
Locates both known and unknown software flaws and security vulnerabilities, including small ones that by themselves won’t raise much concern but could cause material harm as part of a complex attack pattern
Can attack any system, mimicking how most malicious hackers would behave, simulating as close as possible a real-world adversary

Cons of pen testing