The meaning of Penetration Testing, as defined by the English dictionary, means to identify the presence of points where something can find or force its way into or through something else.
When applied to IT Security, Penetration Testing Services are most often used to positively identify points of vulnerability before bad actors do. Since Penetration Tests are tests, they must determine the genuineness of the vulnerabilities that they identify, hence the word “test”.
In most, if not all cases this determination is done through exploitation. If a potential issue is successfully exploited then its determined to be a genuine vulnerability and is reported. Findings that cannot be exploited are either not reported or are reported as theoretical findings when justified. Because Penetration Tests prove the genuineness of vulnerabilities their deliverables should always be free of false positives.
Penetration Testing, by definition, does not impose any limitations on the methods that can be used to determine the presence of points where something can make its way into or through something else. When limitations are imposed they are the product of customer requirements, project scope, team capabilities, and resources.
With regards to IT Security, a Penetration Test should produce levels of threat that are at least equal to those which are likely to be faced in the wild. This enables the testing team to identify the same types of vulnerabilities that might otherwise be identified by the real threat. Once those vulnerabilities are identified they can be remediated against thus preventing a compromise. Testing at less than realistic levels of threat is ineffective and akin to testing a bulletproof vest with a squirt gun instead of live rounds. Note: The real threat commonly uses malware, social engineering and phishing (a form of social engineering) when attempting to penetrate targets. Penetration Testing & Uses In IT Security Penetration Tests are most commonly applied to Networks, Web Application, and Physical Security. In theory, anything can undergo a Penetration Test.
Many security firms are dressing up a low quality vulnerability scan as a penetration test and charging you thousands of dollars for it. You think you are buying a penetration test when in reality you’re getting a poor quality vulnerability scan, then an engineer looks over the scan report, massages the findings and they call this a penetration test. This is NOT a pen test. This is an automates vulnerability scan that is being disguised as a penetration test. If you are requesting a quote for a pen test and the security firm simply asks you for a number of IP addresses and then gives you a price. You’re likely just getting a scan and being charged for a penetration test.
