What is a Pentest, and how can it be used to help improve the security posture of your organisation.
Pentesting, also known as pen testing, is an authorised attack simulation against an organisations network or applications identifying vulnerabilities and security issues. Vulnerabilities discovered when conducting a penetration testing service are exploited confirming the severity of the issue and compromised machines. Machines or applications compromised during the engagement are used to gain access into an organisations network, this process is carried out to help identify the level of access potential attacker could obtain.
Pentest Process Overview:
Pentesting is typically performed against a companies servers, web applications, external network infrastructure and mobile applications. The assessment process is manual with the use of industry standard commercial and open source tools to assist the testing process.
Once a vulnerability has been successfully exploited, a tester may use the machine as an entry point to access other machines within the network, gaining access to data that would normally be protected by firewalls or requiring higher privilege level accounts. Penetration testing helps identify the potential risk factor by identifying the level of data a potential attacker could access.
Pentesting is typically broken down into the following actions:
Manual pen testing leverages the best in class security auditing software and tools and uses human expertise to combine the best of both options and rule out any false positives in the final report. Automated software solutions are unable to identify specific logic flaws and manual Pentesting is required to identify issues based on technical experience. The process of combining both testing solutions is commonly referred to as Vulnerability Assessment and Penetration Testing (VAPT), see our what is VAPT resource for more information.
Aptive provide a consultant lead manual web app security audit service to help identify logic flaws and complex application security issues.
A pentest is performed manually by a security professional, a vulnerability assessment is an automated assessment conducted by software.
A Pentest, assess the security of IT infrastructure, API’s or web / mobile applications by attempting to exploit discovered vulnerabilities in a controlled way. These vulnerabilities are then documented, allowing an organisation to see an overview of the discovered issues and their associated risks, perform remediation of the issues, and then have the discovered issues reassessed to verify the remediation efforts were successful.
Learn about more about pentesting in our Cyber Security Academy.