A Community Project
Built By Professionals
Built For Professionals
You Are Welcome
About Penetration Testing Body of Knowledge
Penetration Testing Body of Knowledge (PTBoK) is an open resource built on vast experiences of numerous industry experts. The information contained here is expected to have higher standards of accuracy. If you find somewhere we went wrong, please let us know.
Penetration Testing (Source: Wikipedia)
A penetration test, or the short form pentest, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test will advise if a system is vulnerable to attack, if the defenses were sufficient and which defenses (if any) were defeated in the penetration test.
A penetration can be likened to surveying a rabbit proof fence, which must be whole to keep the rabbits out. In surveying the fence the penetration tester may identify a single hole large enough for a rabbit (or themselves) to move through, once the defense is passed, any further review of that defense may not occur as the penetration tester moves on to the next security control. This means there may be several holes or vulnerabilities in the first line of defense and the penetration tester only identified the first one found as it was a successful exploit. This is where the difference lies between a vulnerability assessment and penetration test – the vulnerability assessment is everything that you may be susceptible to, the penetration test is based on if your defense can be defeated.
Security issues uncovered through the penetration test are presented to the system’s owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology
The information available here is open for peer review. We strongly believe that none of us is more knowledgeable than all of us. We have traveled a long distance to reach here. If you think you can take this forward we would love to work together with you. Click here to express your interest.
Licence: The information provided here is shared under the Creative Commons Attribution-ShareAlike License.