Penetration testing - you’ve heard the term before. Maybe it came from upper management, a consulting company, or just something that a security contact mentioned in passing. Maybe you’ve had a penetration test performed against one of your applications or networks to probe for vulnerabilities and exploit them (we’ll get to that later).
Regardless, it’s something we should all educate ourselves about and consider as a strategy to improve overall security posture and practice proactive security defense. More and more companies are offering penetration testing as a service. We will lay out the basics to develop a better understanding of the penetration testing process, why you need it, when it's required, and what the final outcome and deliverable will be.
Penetration testing (pentesting) is the process of assessing a company’s technological environment with the intention to uncover security vulnerabilities and exploit them as proof of concepts. This is a popular type of security assessment performed to uncover flaws and weaknesses within a network or application. The main idea is to replicate what a potential malicious actor could accomplish by discovering and remediating flaws within an authorized and safe context before real repercussions occur if a hacker were to exploit them.
Penetration tests can occur on all types of environments and targets including network infrastructure (external or internal), web application, API, cloud, mobile app, Internet of Things (IoT) devices, wireless assessments and more.
The different types of penetration tests (pentests) include:
Have you made a major update to your application? Were there some new frameworks or modules installed? Do you manage Personally Identifiable Information (PII) or Payment Card Industry (PCI) data? These are all valid reasons to get a penetration test, and sometimes it may even be mandatory.
Penetration tests occur for a large variety of reasons. In most situations, it is often recommended to perform a pentest bi-annually or even quarterly in order to uncover and understand potentially new vulnerabilities which have been introduced and exposed within the changes being made over time. There are also compliance regulations such as PCI Data Security Standards (DSS) which make penetration testing mandatory to ensure that client credit card and PII data is secure at rest, in transit, and is inaccessible from external attackers.
Some common reasons to perform a penetration test include:
Penetration testers come with all types of backgrounds and educations, but they are always trained with a thorough technical understanding of all types of security vulnerabilities and issues. This includes real-world vulnerabilities and exploitation methods seen across a network or within devices to better understand technology weaknesses and provide an in-depth report with technical and strategic recommendations.
A penetration test report will often include an executive summary for a high-level, overall view of the security assessment performed. The summary may include things like overall risk, security posture, and estimated remediation time. This can also include some positive and negative findings observed during the assessment. Each report will always include a detailed findings section which outlines each individual finding, the risk and impact associated with it, steps to retest or verify it, and recommended remediation including step-by-step details on how to fix the affected issues. These findings will likely be listed in order of ranked risk from critical to low findings. And the wrap-up of the report will often include an appendix section which will identify any remaining details of the assessment such as the scope targeted, tools used, people on the team who were involved, remaining details from the findings, and any additional remaining sections depending on the team.
Overall, a penetration test is a critical component to assessing your organizations attack surface in exposed applications or networks. It will help shed light on any weaknesses or exposures and identify areas for any positive implementations, which with strong security, can help increase security posture and decrease cyber risk.
7 signs you may want to look for in your technology to know if it’s time to change it.