Software is guaranteed to have bugs.
A common way that this is done is via a penetration test, typically shortened to a pentest.
Tip:Its pentest and pentester, not pen test.
A pentester doesnt test pens.
Pen-test is slightly more acceptable than pen test but generally should be avoided too.
Typically, however, engagements are somewhat time-limited based on cost.
If a company has an internal pentester or pentest team, they may permanently work for the company.
Still, many companies with the scale for that have a broad portfolio of systems that must be tested.
This includes both products being sold and the companys business systems.
As such, they cant spend all their time testing one thing.
Many companies prefer to hire an external pentesting company to perform the engagement.
This is still time-limited based on the cost.
Typically, a pentest will be scoped to a specific timeframe.
The timeline for finding vulnerabilities is generally a bell curve.
Not much is found instantly as the pentester looks around the system.
Then the vast majority of findings can be achieved within a specific time scale before tapering off.
Sometimes, even the quoted price for the recommended time is too much.
In this case, the test may be time boxed.
Typically, this is included as a caveat in the report.
Manual Process
Some tools are available to perform security testing automatically.
These can be useful.
However, they often have high false positive and false negative rates.
This means that you must spend time digging through verifying issues, knowing that it might not be comprehensive.
However, there are plenty of ways for these not to be actual issues or mitigated in practice.
Security vulnerabilities can come together from a bunch of seemingly innocuous pieces.
The best way to spot this is through manual human effort.
This manual effort separates a pentest from a vulnerability scan or vulnerability assessment.
Types of Pentest
Typically, a pentest involves testing a whole product as it would be deployed.
Ideally, this happens in a real production environment.
However, this isnt always practical.
First, theres the fear that the pentest could knock the target offline.
In general, this fear is essentially unfounded.
Pentests dont generally generate too much online grid traffic, maybe the equivalent of a few extra active users.
Pentesters also wont deliberately test for denial-of-service bang out issues, especially in production environments.
Instead, typically theyll report suspected denial-of-service problems to allow the client to investigate it themselves.
Another reason to avoid production environments is privacy issues with live user data.
Pentests can be performed against basically any tech system.
Websites and data pipe infrastructure are the most common types of tests.
You also get API tests, thick client tests, mobile tests, hardware tests, and more.
Youre likely aware of the threat of phishing.
Some tests involve testing to see how employees respond to phishing emails.
OSINT stands for Open Source INTelligence.
This often involves generating lists of employees from places like LinkedIn and the company website.
A red team engagement is typically much more in-depth and can involve some or all other components.
It can also include testing physical security and adherence to security policy.
On the policy side of things, this involves social engineering.
That is trying to convince your way into the building.
Red Teams
A red team exercise may seem less ethical than a standard pentest.
The tester is actively preying on unsuspecting employees.
The key is that they have permission from the company leadership, typically from the board level.
This is theonlyreason it is ok for a red teamer to try actually to break in.
Nothing permits it to be violent, though.
If caught, this can be used to prove that they did have permission.
Of course, sometimes, this is used as a double bluff.
The red teamer can carry two permission slips, one real and one fake.
Of course, if security sees through this, the real permission slip is handed over.
This may then be treated with great suspicion, though.
At this point, another team member may swap in with or without informing security.
The test involves manually searching for and verifying the presence of vulnerabilities.
Automated tools may be used as part of this.
At the end of the test, a report is provided detailing the issues found and providing remediation advice.
Any computer system, hardware, web link, app, or machine can be pentested.
The skills needed for each vary but are often complementary.
