Far more exciting than the ballpoint variety, modern pentesting encompasses an extremely wide range of operations by a single person or team to do one thing: break in. This may include security audits, analysis, discussions, scans, stealth attacks, phishing or even physically sneaking around and plugging into networks.
While the need for security testing is nothing new, pen testing has seen a large growth in recent years as product or application developers, CEOs and administrators want to feel safe with their security assumptions. “Is my network secure from outside attackers?” “Are my web applications vulnerable to Cross Site Scripting or SQL injection?” “What stops an attacker or insider from stealing my company’s secrets?” “Can someone break into X from Y?” “Is my customer’s data at risk?” “Are users of our product at risk of attack?”
Pentesters are sometimes called “ethical hackers“, although I think that goes without saying: we use our skills for good. The goal is to improve security by uncovering vulnerabilities and getting them fixed.
Pentest or security audit teams put themselves into the mindset of a potential attacker, disgruntled employee or malicious hacker. We work to find the bugs in the network, application, design or system before the bad guys do, and let the client know the most secure way to fix them. Pentesting helps encourage everyone involved within the organization to remember that security is a process, should be applied in layers and that it cannot be purchased.
Security is never finished, there is always a back and forth.
To borrow an analogy from the infamous Cryptographer Bruce Schneier, imagine the following: You’re developing a new form of hardware safe. You want customers to trust your device for their valuables, but how do you know it’s really secure unless you have it tested? So you bring in some pentesters. They only need to find a single flaw and the whole system can crumble, but where is it? To make it even easier, you share with them the blueprints for the entire design, provide them with samples of the building materials and let them interview your engineers. After some reasonable time, if they’re unable to locate a weakness, it means your can be much more confident in the security. Obviously, you can never be 100% assured, as nothing has absolute security unless it’s completely unusable (buried at the bottom of the Mariana Trench).
Security itself is primarily about minimizing access, privilege and attack surfaces, either a browser sandbox or an ancient castle’s drawbridge. From locating the basic stack buffer overflow to a complex use-after-free vulnerability, or weak firewall rules and unsafe design, pentesting is applied hacking. Regardless of the type of assessment (network scan, code review, red team assessment, mobile or web application audit, whitebox or blackbox, etc.) you never know what you might discover.