What is Penetration Testing
Penetration Testing is an information security assessment, undertaken by an organization with the purpose of measuring the security posture of information systems, software, networks or human resources, by actual interaction with those elements.
It is the interactive characteristic that distinguishes penetration testing from other forms of security assessment. That should not be taken to mean that we consider all forms of penetration testing under this definition to be equal, or that all forms are suited to every purpose.
Within the industry, different terms have been used to describe the same thing, and different things have been defined using the same terms. This has, understandably, resulted in significant confusion. A penetration test is sometimes also referred to as pen testing, security testing, security evaluation, white hat testing, ethical hacking, vulnerability assessment, red teaming, vulnerability scan, penetration scan, and more.
Sometimes the different terms represent simple terminology convention (ethical hacking), sometimes the terms distinguish between forms (red team vs. blue team), or indicate automation (vulnerability scan), and sometimes the terms lend themselves to mis-use and seem to have been intentionally created to mislead (penetration scan). There is even a strong movement in recent years to market fully automated 'penetration tests'. This last move has created a very hot debate among penetration testing firms about whether fully automated testing of any kind should ever be considered to be 'penetration testing'. This turf war over terms is fueled by the fact that automated testing is extremely cheap compared to testing that requires highly skilled personel, and automated scan vendors who choose to market their products as 'pentration testing' are viewed as cheap imitators who are duping their clients. While we are inclined share this view, and would prefer to call fully automated methods 'vulnerability scans', a term that more accurately describes them and is less likely to mislead clients, we aren't going to takes sides in the turf war over terms.
Why not take sides? Well, for one thing, it isn't as easy as it seems to distinguish between automated and manual methods. Every aspect of penetration testing, except some forms of social engineering, requires the use of software of some kind. Unless you are actually hooking up circuits (without software) directly to a chip, and manually throwing switches and reading the outputs on LEDs or something, you are going to be using some kind of software. So the mere use of software doesn't make a distinction. What about 'scanning' software though? Well, again, you pretty much have to make use of it in most penetration tests. Unless you plan to manually type in 65,535 connection attempts into a terminal, you can't even conduct a tcp port scan on one host without automation. So, that's why we aren't going to get into that debate. We understand the role that automation has in penetration testing, and we know that the real issue is quality, and not the term that a vendor chooses to describe their offering.
No matter what term is used to describe it, a well conceived penetration testing engagement will include rules of engagement (often included in a statement of work) that clearly define the elements to be tested, establish an engagement time period, define the methods and tools to be used and the qualifications of testers, define the penetration testing objectives, define procedures for the handling of sensitive data, and establish reporting requirements. There is much more that ought to be included, but those are the minimums. If you have enough information in the statement of work, you can make your own determination if it meets your expectations for quality.
The Bottom Line:
The more you focus on the statement of work, the less confusion there is about what you are actually getting with a penetration test, whatever it is called. If you are not getting a statement of work, then it's a pretty safe bet that whatever you are buying, it's not a penetration test. We provide a sample work order, which includes everything that will eventually go into the statement of work except the detailed targeting information and other information that has to be developed later out of necessity, with every quote. Our customers know from the beginning exactly what we are proposing. For us, a standard penetration test makes use of both automated and manual methods, and we believe that is by far the best approach for most clients.
Ask us for a free, quick, no hassle quote using the contact form above.