Penetration Test

In general, a penetration test, occasionally pen-test, is a method of evaluating computer and network security by simulating an attack on a computer system or network from external threats.  The process involves an active, simulated attack, usually against firewalls and/or web applications, with the goal of identifying any potential vulnerabilities resulting from system configuration issues, known and unknown hardware or software flaws, or operational weaknesses. This analysis is carried out from the position of a potential attacker and can, but usually does not involve active exploitation of security vulnerabilities.

Security issues uncovered through the penetration test are verified, scored, documented and reported.  Effective penetration tests result in adequate reporting that enables the organization to make risk-based decisions on the mitigation or acceptance of identified vulnerabilities.

A Penetration test is valuable for several reasons:

1. Determining the feasibility of a specific types of attacks, man common
2. Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities
3. Identifying vulnerabilities that may be difficult or impossible to detect with automated scanning software
4. Assessing the magnitude of potential business and operational impacts of successful attacks
5. Testing the ability of intrusion detection and intrusion prevention systems to successfully detect and respond to the attacks
6. Providing evidence to support increased investments in security personnel and technology

Penetration tests are a component of a full Security Audit or Assessment and are often required by clients or regulators.  For example, the Payment Card Industry Data Security Standard (PCI DSS) security and auditing standard requires both annual and ongoing penetration testing.