A penetration test, or pentest, is an exercise where a group, usually a third party, attempts to gain access to the target’s network or system. The group could be a dedicated internal group, but is usually a third party specializing in security and penetration testing.  Permission is granted to this group in an attempt to gain elicit access to the system, often without the knowledge of the internal security team, except for management, or higher level engineers.

The purpose of this exercise is to determine if there are weaknesses or vulnerabilities in the system that are not detected by vulnerability scans.  These vulnerabilities may be because of the system design, social engineering weaknesses, business logic weaknesses, or other factors that are not detected through automated methods.

Customers know that there are other types of vulnerabilities besides technical vulnerabilities in the software.  They want to be assured that the organization also understands that and is working to detect and address these weaknesses.  A penetration test shows that your organization is committed to finding these weaknesses. The use of a third party for penetration testing provides for different thoughts and ideas that may help remove the inherent bias that often exists when an organization looks at their own work.

Customers may ask to review the pentest report from the organization that performed the test.  This generally contains sensitive information and is often not fully shared with customers or potential customers.  Often it is agreed upon that the executive summary with a summary of the findings and no technical details is shared.  If that is not sufficient due to special requirements by the customer, sometimes the customer is invited to review the whole pentest report, under NDA, in the provider’s facility with control over notes taken as not to expose highly sensitive technical information.

Penetration Tests (pentests) should be a regularly scheduled activity.  Pentests are an attempt to gain access to a system or network by a third party acting like a malicious party.  Pentests simulate an attack by a malicious party that goes beyond simple vulnerability scans, rather they attack the configuration, design, implementation, and logic of the system, which cannot be tested through simple vulnerability scans.

New techniques and information combined with attacks in different aspects of the system makes every pentest unique and can find flaws not previously detected.  This combined with possible new weaknesses means that each pentest may find something that was not previously seen.

If penetration testing is required, it is generally required to be performed annually. If the test includes only certain applications, such as your SaaS application, a separate test may be required for the organization’s network, as compromising this may lead to compromise of the application from the backend.