Penetration testing, or pentesting, is like a general inspection for your car, except instead of a car you diagnose the security of your applications. To do so, you higher consultants with hacking experience.Those “good hackers” (often called ethical hackers, white hat hackers) can find the vulnerabilities in your system or app. At the end, customers will get a through report for further actions and bug fixing tips. After fixing all the bugs, the customer can get a re-test. A re-test is sometimes offered for free, sometimes costs a small sum (often 5-20% of the pentest cost).
You can pentest web and mobile applications, networks (infrastructure), APIs, and even IoT devices like smartwatches, smart TVs, smart machines, etc.
There are different levels of in-depth hacking or so-called penetration testing strategies:
White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. Penetration testers are given full access to source code, architecture documentation, credentials to enter the system. White- box pentesters will check not only internal security but also from the outside – by hacking into systems without proper accesses. For that they use both static and dynamic analysis. White-box testing is the slowest and most comprehensive form of pentesting.
Testers do no have any information about the target and have to “hack” the system like a regular hacker. This means that black-box penetration testing relies on dynamic analysis of currently running programs and systems within the target network. They have to create network maps on their own. The limited knowledge provided to the penetration tester makes black-box penetration tests the quickest to run, since the duration of the assignment largely depends on the tester’s ability to locate and exploit vulnerabilities in the target’s outward-facing services.
Testers have access to knowledge level of a user. Meaning the gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network. Having the basic knowledge about the target, testers can focus the afford on assessment of the most critical systems.
Image source: onlinetutorials.org