What Is Penetration Testing?
Penetration Testing Defined
There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test(Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.
What Is a Penetration Testing Tool?
Penetration testing tools are used as part of a penetration test(Pen Test) to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone. Two common penetration testing tools are static analysis tools and dynamic analysis tools. CA Veracode performs both dynamic and static code analysis and finds security vulnerabilities that include malicious code as well as the absence of functionality that may lead to security breaches. For example, CA Veracode can determine whether sufficient encryption is employed and whether a piece of software contains any application backdoors through hard-coded user names or passwords. CA Veracode's binary scanning approach produces more accurate testing results, using methodologies developed and continually refined by a team of world-class experts. And because CA Veracode returns fewer false positives, penetration testers and developers can spend more time remediating problems and less time sifting through non-threats.
Manual Penetration Test
Manual penetration testing layers human expertise on top of professional penetration testing software and tools, such as automated binary static and automated dynamic analysis, when assessing high assurance applications. A manual penetration test(Pen Test) provides complete coverage for standard vulnerability classes, as well as other design, business logic and compound flaw risks that can only be detected through manual testing.
Penetration Testing Methodology
Once the threats and vulnerabilities have been evaluated, the penetration testing should address the risks identified throughout the environment. The penetration testing should be appropriate for the complexity and size of an organization. All locations of sensitive data; all key applications that store, process or transmit such data; all key network connections; and all key access points should be included. The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. If access is achieved, the vulnerability should be corrected and the penetration testing re-performed until the test is clean and no longer allows unauthorized access or other malicious activity.