A penetration test, or pentest, is an exercise where a group, usually a third party, attempts to gain access to the target’s network or system. The group could be a dedicated internal group, but is usually a third party specializing in security and penetration testing. Permission is granted to this group in an attempt to gain elicit access to the system, often without the knowledge of the internal security team, except for management, or higher level engineers.
The purpose of this exercise is to determine if there are weaknesses or vulnerabilities in the system that are not detected by vulnerability scans. These vulnerabilities may be because of the system design, social engineering weaknesses, business logic weaknesses, or other factors that are not detected through automated methods.
Customers know that there are other types of vulnerabilities besides technical vulnerabilities in the software. They want to be assured that the organization also understands that and is working to detect and address these weaknesses. A penetration test shows that your organization is committed to finding these weaknesses. The use of a third party for penetration testing provides for different thoughts and ideas that may help remove the inherent bias that often exists when an organization looks at their own work.
Customers may ask to review the pentest report from the organization that performed the test. This generally contains sensitive information and is often not fully shared with customers or potential customers. Often it is agreed upon that the executive summary with a summary of the findings and no technical details is shared. If that is not sufficient due to special requirements by the customer, sometimes the customer is invited to review the whole pentest report, under NDA, in the provider’s facility with control over notes taken as not to expose highly sensitive technical information.