The cybersecurity industry coined the term "penetration testing" for an audit testing the penetrability of an organisation's digital or other security assets.
In effect, an independent party uses technical or social tools to circumvent safeguards set up by a client organisation in a controlled environment to prove how a malicious party might be able to exploit such weaknesses to gain access to privileged or confidential information or assets.
Depending on the client’s requirement, such as meeting specific regulatory criteria or a regular security health check, penetration testing can involve several steps. A simple penetration test may involve contracting an accredited tester to identify security threats and devise a proof of concept to exploit identified threats, usually on software assets that store or process confidential information, such as a web application. In this simple scenario, the tester first performs a reconnaissance of the technologies the application uses directly or indirectly, such as networking artefacts, software dependencies, databases and security protocols. This step is motivated by an understanding of the underlying architecture, which facilitates the flow and storage of confidential information.
After that, the tester may look for known vulnerabilities in software that the application is built on or utilises, as reported through responsible disclosure programmes or patching regimes. They will test for sanitised code, especially where the web application may have entry points via input fields that interact with the database directly and secondary dependencies such as network vulnerabilities. Finally, they ensure the database itself is secured appropriately and does not leak information.
More complicated audits may include the scope of several web applications, infrastructure servers, Bring Your Own Devices (BYOD) or end-user computing devices that are used by staff, firewalls and other networking equipment, and data storage infrastructure. This end-to-end approach provides an opportunity for organisations to address their security risks, hopefully before they are exploited and result in a data breach. As such, it provides a level of assurance around mitigating or accepting security risks by identifying vulnerabilities.
Test, evaluate and enhance your cybersecurity posture
Ensign Infosecurity, a company in the ISTARI Collective, uses automated and manual interventions to execute advanced penetration tests that can identify gaps and vulnerabilities in applications, networks, systems and the cloud. This service provides a detailed picture of the flaws that exist in the organisation’s systems and the technical risks associated with those flaws.