London software testing news UK


Penetration testing

Posted in security testing,Software testing by testing in London on June 1, 2007

From e-commerce times

A penetration test is a service designed to simulate an attack on systems within your or a partner’s environment. While there might be a number of parameters that can change to determine how the attacks are initiated and conducted (for example, you might choose to limit the date and times when attacks are done to minimize impact to production), the defining characteristic of a penetration test is that individuals will be actively attacking the systems in scope using the same or similar methods to what an actual attacker would use.

Penetration can be done in a “black box” manner, where no information is provided to the testing team, or specific information might be given to the testing team to give them a “jump start” and make sure that they are testing the right things.

The advantage of a penetration test is that it demonstrates how critical topics like patch management are to the organization. For example, nothing “makes real” the importance of patch management than a screen capture of company data being viewed by an attacker due to a missing patch. On the downside, you prove only that your organization is subject to attack and you only find out one way (out of possibly many) that an attacker could exploit your systems to gain entry. While you do have the opportunity to test incident response and logging/auditing features of the environment, you only test them in a narrow subset of the environment.

2 Responses to 'Penetration testing'

Subscribe to comments with RSS or TrackBack to 'Penetration testing'.

  1. Geek said,

    Apart from pure technical means, penetration testing can also be accomplished by social networking. By penetration, we mean un-authorize access to the system. There are many vulnerabilities which have been identified and tools are available for them. Biggest of these vulnerability IMO could be social networking, where in no tool will work. On this page ( http://www.testinggeek.com/secpenetration.asp ), there are number of techniques which can be used for penetration testing. To be proactive, it is always advisable to use some kind of vulnerability scanner to make sure that system is not vulnerable to any threats.

  2. The Useful and Dangerous World of Penetration Testing - Executive Briefing said,

    […] This post at London Software Testing News says that the advantages of such an approach can be quite graphic. A C-level executive could be frightened into action via a screen capture of the hacker (in this case the the pen tester) downloading data he or she got access to because of a missing patch. A comment on the piece suggests that a test that uses social engineering approaches — differentiated from purely technical attacks — also fits within the definition of penetration testing. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: