Penetration testing, also known as pen testing, means computer securities experts use to detect and take advantage of security vulnerabilities in a computer application. These experts, who are also known as white-hat hackers or ethical hackers, facilitate this by simulating real-world attacks by criminal hackers known as black-hat hackers.
In effect, conducting penetration testing is similar to hiring security consultants to attempt a security attack of a secure facility to find out how real criminals might do it. The results are used by organizations to make their applications more secure.
First, penetration testers must learn about the computer systems they will be attempting to breach. Then, they typically use a set of software tools to find vulnerabilities. Penetration testing may also involve social engineering hacking threats. Testers will try to gain access to a system by tricking a member of an organization into providing access.
Penetration testers provide the results of their tests to the organization, which are then responsible for implementing changes that either resolve or mitigate the vulnerabilities.
Penetration testing can consist of one or more of the following types of tests:
A white box test is one in which organizations provide the penetration testers with a variety of security information relating to their systems, to help them better find vulnerabilities.
A blind test, known as a black-box test, organizations provide penetration testers with no security information about the system being penetrated. The goal is to expose vulnerabilities that would not be detected otherwise.
A double-blind test, which is also known as a covert test, is one in which not only do organizations not provide penetration testers with security information. They also do not inform their own computer security teams of the tests. Such tests are typically highly controlled by those managing them.
An external test is one in which penetration testers attempt to find vulnerabilities remotely. Because of the nature of these types of tests, they are performed on external-facing applications such as websites.
An internal test is one in which the penetration testing takes place within an organization’s premises. These tests typically focus on security vulnerabilities that someone working from within an organization could take advantage of.