Penetration Testing, often referred to as “pen testing” or “ethical hacking,” is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is typically used to augment a web application firewall (WAF). Penetration tests involve the attempted breaching of any number of application systems, (e.g application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
The primary goal of penetration testing is to identify weak spots in an organization’s security posture, as well as measure the compliance of its security policy, test the staff’s awareness of security issues, and determine whether—and how—the organization would be subject to security disasters.
A penetration test can also highlight weaknesses in a company’s security policies. For instance, although a security policy focuses on preventing and detecting an attack on an enterprise’s systems, that policy may not include a process to expel a hacker.
The stages involved in penetration testing typically include planning, reconnaissance, scanning, gaining access, maintaining access, and analysis. The results of the penetration test are then compiled into a report detailing:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the pen tester was able to remain in the system undetected
Penetration testing is valuable for several reasons: determining the feasibility of particular attack vectors, identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence, identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software, assessing the magnitude of potential business and operational impacts of successful attacks, and testing the ability of network defenders to successfully detect and respond to the attacks.