What is a Penetration Test?

This article explains the concept of a penetration test.

The term Penetration Test (or PenTest) is a broadly used term to describe adversarial testing in the cybersecurity industry. The term can mean many different things depending on its context. The most crucial factor that distinguishes a penetration test from an attack is that the tester has explicit permission to perform the test.

The Traditional Definition

In its traditional sense, a Penetration Test is a type of activity where an expert hacker attempts to gain entry into a system, thus "penetrating" or defeating that system's security controls. In this context, a penetration test is often directed at computer network security or physical access controls to a building or secure area.

The Modern Definition

Today, we extend the meaning of a Penetration Test to include just about any adversarial test against any system's security controls, as long as the tester first obtains permission to test. On the one hand, this definition's flexibility more easily fits PCI-DSS, HIPAA, and other regulatory requirements. On the other hand, the ambiguity leads to more confusion about what can and can't be considered a real penetration test. Unfortunately, in some cases, this has led to a misguided belief that an automated vulnerability scan qualifies as a penetration test (hint: it does not).

How We Define Penetration Tests

Here at Secure Ideas, we believe that in most cases, the focus of a Penetration Test should be on properly assessing the target system's security risk. Therefore, to be considered an actual penetration test, it must include the following attributes:

  • Coverage: The testing must, within reason and scope, consider all aspects of security for the target system. It is not sufficient to stop testing after exploiting a single vulnerability in just one control if there are other likely paths to gain entry.
  • Expertise: A person with the right expertise must conduct the testing. A penetration test is not a task for an inexperienced person, nor is it a computer program task. A misunderstanding of context or technical results can lead to incorrect results and a false sense of security.
  • Risk-focused: A penetration test must focus on the security risk and consider the context of a vulnerability. People interpret the context more accurately than programs. Our end-goal with any penetration test is to improve our client's security posture while meeting any regulatory or organizational requirements.

Typical Target Types of Penetration Tests

We usually refer to the type of penetration test by its target or scope. Below are some common examples:

  • External Network: This is typically a test of an organization's external network surface and is often conducted from an unauthenticated attacker's perspective.
  • Internal Network: This is a test of the network controls inside a network and is often conducted from a compromised device's perspective as an authenticated attacker. An internal network may include on-premise and cloud computing components.
  • Web Application Pentest: This is a hands-on security assessment of a web application and is typically conducted from various user roles. 
  • API Pentest: This is a hands-on security assessment of a web-based API such as REST or SOAP.
  • Hardware Pentest: This is an assessment of the security controls on a physical device.
  • Physical Pentest: This is an assessment of physical security controls, such as those protecting an office building or data center.

Secure Ideas has conducted all of the above example types of tests as well as others. Check out our Penetration Test FAQs and some of our other articles if you want to know if penetration testing is right for you, or if you want to know anything else about pentesting.

Similar posts