What Is Penetration Testing?

Pentesting or penetration testing is a means of evaluating computer and network security by identifying and exploiting vulnerabilities that a real attacker would attempt.

Pentesting will usually include a research stage (collecting information), identifying vulnerabilities, entry points (scanning), attempt to break in (exploiting) and feedback on the findings (reporting).

Strategies include:

Targeted testing sometimes referred to as the “lights-on” approach and is performed in collaboration with the organization’s IT team.

External testing targets the visible servers or devices (DNS, email servers, web servers, firewalls) an outside attacker would have access to normally in order to determine how far they could break in.

Internal testing would be conducted from the inside – behind the firewall – with authorised access, in order to establish what damage could be done if an employee directed or assisted the attack.

Blind testing implies only a limited amount of information (i.e. name of the company) is available before the test takes place. This strategy requires extensive research and it may involve higher costs.

Double blind testing means not only the information of the target company is limited but also limits the number of people aware that the test is taking place. This is done in order to test the company’s security, attack identification and response policies.

For application testing: 

White-box testing the tester is given specific knowledge about the programming code in order to understand whether the program performs the intended purpose or not.

Black-box testing tests whether the tester has information on the input and output of the program but is not aware of the inner workings of the software.

Grey-box testing (translucent testing) is a combination of white-box and black-box testing.