A penetration test is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in your systems.
Penetration tests usually simulate a variety of different attacks that could threaten your business. A pen test might examine whether a system is robust enough to resist attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system that you need to assess.
Ideally, your organization has designed its software and systems from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well you’ve achieved that aim. Pen testing supports the following security activities, among others:
Depending on the goals of a pen test, the organization provides the testers varying degrees of information about, or access to, the target system. In some cases, the pen testing team sets one approach at the start and sticks with it. Other times, the testing team evolves their strategy as their awareness of the system increases during the pen test. In the industry, we talk about three types of pen tests:
Pen testers aim to simulate attacks carried out by motivated adversaries. To do so, they typically follow a plan that includes the following steps:
There is no one-size-fits-all solution for pen testing. Instead, different targets require different sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration of the network. But broadly speaking, the types of pen testing tools fit into five categories:
Pen testing is mostly a manual effort. Pen testers do use automated scanning and testing tools in the process. But they also go beyond the tools and think their way through security barriers using their knowledge of the latest attack techniques to provide more in-depth testing than a vulnerability assessment (i.e., automated testing) can provide. Here are a few comparative advantages of manual pen testing and automated testing:
Manual pen testing
Pen testing uncovers vulnerabilities and weaknesses not found in popular lists (e.g., OWASP Top 10) and tests business logic that automated testing can overlook (e.g., data validation, integrity checks). Also, a manual pen testing review can help identify false positives reported by automated testing. Overall, manual pen testers are experts who “think” like adversaries and can analyze data to target their attacks and test systems and websites in ways automated testing solutions following a scripted routine cannot.
Automated testing
Automated testing generates results faster, and needs fewer specialized professionals, than a fully manual pen testing process. Automated testing tools track results automatically and can sometimes export them to a centralized reporting platform. Also, while the results of manual pen tests might vary from test to test, running automated testing repeatedly on the same system will produce the same results.
With the frequency and severity of security breaches increasing year after year, organizations have never had a greater need for visibility into how they can withstand attacks. Regulations such as PCI DSS and HIPAA mandate periodic pen testing to remain current with their requirements. With these pressures in mind, here are some pros and cons for this type of defect discovery technique:
Pros of pen testing
Cons of pen testing