Penetration testing is an activity that involves in-depth analysis of website or network to uncover hidden vulnerabilities. A penetration tester actually performs the exploit to create a proof-of concept for the weakness and opposed to vulnerability assessment that limits itself to scanning resources to identify vulnerabilities.
Types of Penetration Testing
- White Box / Full knowledge test:The penetration testing team has as much knowledge as possible about the systems to be evaluated. This penetration test simulates the possible attacks that might be mounted by a person with knowledge about the victim, eg employees, vendors etc.
- Gray Box / Partial knowledge test: The testing personnel will be provided with some information that is related to the specific type of information vulnerability that is desired. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of Black Box Testing method and White Box Testing method.
- Black Box / Zero knowledge test: The testing team is provided with no specific information and begins the testing by gathering information on its own initiative. Information gathering activities like reconnaissance and social engineering are some ways of collecting information. This type of test closely links with the hacker’s methodology.
Typically the type of penetration test is chosen based on the following:
- Tests intended to broadly approximate the short-term efforts of targeted attackers with limited resources and knowledge can be conducted using black box methodologies.
- Tests intended to reflect longer-term efforts by attackers who have more significant resources like design documents, used technology, algorithms and architecture diagrams; gray box tests can help to reflect on the knowledge that attackers need about application internals to expend the full amount of resources that would be available to attackers.
- Teams that need to make the most detailed and insightful future recommendations about applications within a limited amount of time should use white or clear box testing.