Penetration testing is also known as a pen test. It is used for evaluating the security of a computer system or network that suffers from the attack of malicious outsider and insiders. In this process, we use an active analysis of the system for any potential vulnerability.
The penetration testing is valuable because of following reasons:
1. It determines the feasibility of a particular set of attack vectors.
2. It identifies the vulnerabilities from the higher to lower sequence.
3. It identifies the vulnerabilities which is not detected by the automated network or scanning software.
4. It provides evidence to support increased investment in personal security and technology.
The penetration testing is a component of security audit. It has several ways to conduct the testing like black box testing and white box testing. In black box testing there is no any prior knowledge of the infrastructure to be tested. It is necessary for the tester to first determine the location and then extend the system for concluding their analysis. The white box testing provides the full information about the infrastructure to be tested and sometimes also provides the network diagrams, source code and IP addressing information. There are some variations between black and white box testing which is known as gray box testing. The black box testing, white box testing and gray box testing are also known as blind, full disclosures and partial disclosure test respectively.
The penetration testing should be carried out on any computer which is to be deployed in any hostile environment, in any internet facing site, before the system is deployed. By this we provide the level of practical assurance for that the system will not be penetrated by any malicious user. The penetration testing is an invaluable technique for any organization for the information security program. Basically white box penetration testing is often used as a fully automated inexpensive process. The black box penetrating testing is a labor intensive activity that is why it is required expertise to minimize the risk of targeted system. The black box penetration testing may slow the organization network response time due to network scanning and vulnerability scanning. It is possible that system may be damaged in the course of penetration testing and may be inoperable. This risk may be minimizing by the use of experienced penetration testers but it can never be fully eliminated.
The web applications of penetration testing are as follows:
• It is used for the knowing vulnerabilities in Commercial off the Shelf (COTS) application.
• For the technical vulnerabilities like URL manipulation, SQL injection, cross-site scripting, back-end authentication, password in memory, session hijacking, buffer overflow, web server configuration, credential management, etc.
• For knowing business logic errors like day-to-day threat analysis, unauthorized logins, personnel information modification, price-list modification, unauthorized fund transfer, etc.