Clarification about penetration testing


The terms penetration testing and vulnerability assessment are often confused and used interchangeably, when in fact the two terms have distinct meanings.

Penetration testing, also known as penetration testing or simply pentesting, is a continuous cycle of searching for and attacking a target in order to identify vulnerabilities within a computer system, network, or web application that an attacker could exploit and then attempt to gain potential access to various confidential data and information about the system under a test.

Vulnerability assessment is the process of defining, identifying, and classifying potential security vulnerabilities in the target system.

Penetration testing can be automated with software applications or can be performed manually. In both cases, the process includes collecting information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (virtual or real), and reporting the results.

When a penetration test is performed correctly, the results allow professionals to make recommendations to solve the problems detected during the test. The main objective of penetration testing is to improve the security of the computer system, network, or web application and to provide protection for the entire network and connected devices against future attacks.

There are three types of penetration testing, depending on the company‘s expectations:

Black box: The tester puts himself completely in the shoes of a hacker. He does not have any information.
Grey box: The tester has a limited amount of information.
White box: The tester has all the information he needs.

I can’t stress the fact enough that you should always make sure that you are in the right by either going through specialized sites or by concluding a proper contract with your client before starting.