Penetration testing

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white hat” penetration testers using strategies and tools designed to access or exploit computer systems, networks, websites, and applications. Although the main objective of pen testing is to identify exploitable issues so that effective security controls can be implemented, security professionals can also use penetration testing techniques, along with specialized testing tools, to test the robustness of an organization’s security policies, its regulatory compliance, its employees’ security awareness, and the organization’s ability to identify and respond to security issues and incidents such as unauthorized access, as they occur.

As a simulated cyberattack, ethical hacking techniques help security professionals evaluate the effectiveness of information security measures within their organizations. The pen test attempts to pierce the armor of an organization’s cyber defenses, checking for exploitable vulnerabilities in networks, web apps, and user security. The objective is to find weaknesses in systems before attackers do.

  • In the case of networks, the high-level goal is to strengthen security posture by closing unused ports, troubleshooting services, calibrating firewall rules, and eliminating all security loopholes.
  • In the case of web applications, pen testing is designed to identify, analyze, and report on common web application vulnerabilities such as buffer overflow, SQL injection, cross-site scripting, to name just a few.
  • Pen testing can also be used to attempt to gain privileged access to sensitive systems or to steal data from a system that is believed to be secure.

In the context of web application security, penetration testing is often used to augment a web application firewall