What is Penetration Testing?
In a 2006 white paper titled “Penetration Testing: Assessing Your Overall Security Before Attackers Do”, authors Northcutt, Shenk, and Shakleford, define penetration testing as “the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. ”
They further state that main distinction between a pen tester and an attacker is “permission”.
Also, the end goal of both vary. A penetration test is conducted to increase the security of the system and resources being tested, while an attack exploits and destroys the system.
Why should Penetration Testing be performed?
There are various reasons for performing penetration tests. One of the vital reasons is to find the vulnerabilities – and fix them – before the attackers find and exploit them.
Another reason is for validation. Often times, even when internal security teams are aware of vulnerabilities, an external “expert” report is necessary to get management to sit up and take notice and invest in mitigation methods.
I have personally experienced this, and am glad that the authors have recognized and documented this fact.
The authors also mention that pen testing can be invaluable on new systems before they launched and deployed to the wild.
I definitely agree with this as it is an added layer of software testing that should follow code reviews, unit testing, and fuzzy-input testing.
A final reason for the need for pen testing is its effectiveness in identifying compliance gaps.
While investing in pen testing may seem huge, it is often only a small fraction of the losses due to an attack – especially when the stakes (financial and reputational) are high.
Northcutt, S., Shenk, J., Shakleford, D., Rosenberg, T., Siles, R., & Manicini, S. (2006). Penetration Testing: Assessing Your Overall Security Before Attackers Do. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635