penetration testing

Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents.

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

Pen test strategies include:

Targeted testing
Targeted testing is performed by the organization's IT team and the penetration testing team working together. It's sometimes referred to as a "lights-turned-on" approach because everyone can see the test being carried out.

External testing
This type of pen test targets a company's externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they've gained access.

Internal testing
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that's performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedures.

Learn More About IT:

The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog covers what's involved in a penetration test, from initial requirements analysis to report generation.

The National Institute of Standards and Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing.

Michael Cobb writes about pen testing during software development and recommends "Penetration testing best practices."

James C. Foster explains the difference between penetration testing and code review.

Screencast: Learn how Metasploit, the popular vulnerability scanner, can test applications, servers and operating systems.

SearchSecurity.com expert Scott Sidel discusses the mechanics behind BackTrack 2.0, a popular pen testing tool.

Puneet Mehta has prepared a Guide to penetration testing for SearchNetworking.com.

Learn more about Software Testing and Quality Assurance (QA)

When to use manual vs. automated software testing tools: When does it make sense to use an automated software testing tool? When is it a bad idea? Get expert advice on choosing automated vs. manual testing tools.
Testers: Time to gear up for mobile software testing: Mobile app development is forging ahead, despite the bad economy. What impact will this have on QA and testing organizations?
	Web application security testing checklist: Testing your Web application security is something that needs be taken seriously. The best way to be successful is to prepare in advance and know what to look for.
Pros and cons of requirements-based software testing: Learn about the strengths and benefits of requirements-based testing as well as what the detractors say -- mostly based on incorrect assumptions about requirements.
Two-minute guide to determining software testing coverage: Get a crash course on deciding which features to test and when and how to test them.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - Thomas Rude's article, "Knockin' At Your Backdoor" is available on his Web site.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Tools bringing traditional, agile projects together Larger organization's distributed teams, "stickies on the whiteboard doesn't cut it," said Todd Olson, of Rally Software. "Executives need a different... Software Testing: Researching software features to test Once you've determined which software features to test during a project, how do you choose which aspects of that feature to test?