Penetration Testing
A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed. The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box or a black box. A gray box penetration test is a combination of the two. A penetration test can help identify a system's vulnerabilities to attack and estimate how vulnerable it is. Security issues that the penetration test uncovers should be reported to the system owner.
Penetration Testing Methodologies
Open-Source Security Testing Methodology Manual (OSSTMM)
Open Web Application Security Project (OWASP)
OWASP Application Security Verification Standard (ASVS)
OWASP Web Application Security Top 10
OWASP Mobile Top 10
OWASP API Security Top 10
OWASP Top 10 for LLM Applications
OWASP Top 10 Non-Human Identities Risks
Penetration Testing Execution Standard
Penetration Testing Methodologies and Standards (PTES)
Information System Security Assessment Framework (ISSAF)
National Institute of Standards and Technology (NIST SP 800-115)
The PenTesters Framework (PTF)
CREST Guide for Running an Effective Penetration Testing Program
Three Approaches to Performing a Penetration Test
Black box testing
White box testing
Gray box testing
Types of Penetration Testing
Internal pen testing
External pen testing
Blind pen testing
Double-blind pen testing
Network / Cloud / Email
Web Application / API / Database
Mobile (Android & IOS)
Operating Systems (Windows/Linux Servers)
IoT/ICS/SCADA
Physical
Penetration Testing Phases
Reconnaissance: During this first stage, pen testers gather and receive information about the test in areas such as the operating system, source code, and network layout, as well as publicly available information.
Scanning and vulnerability assessment: This is where the pen tester begins observing the system to identify any potential weak areas to attack. Pen testers can use specific tools designed to aid in this discovery stage.
Exploitation: During the exploitation phase, the pen tester conducts the attack, looking for vulnerabilities and weaknesses to exploit. It’s essential that the attacker take precautions during this stage not to harm the system.
Reporting: Reporting and documenting the discoveries during the attack allows the organization to examine its procedures and systems, address any flaws, and make improvements.
Recommendations: Lastly, the penetration tester can help the organization develop strategies to prevent attacks, making recommendations based on the findings.
Last updated