X
Akamai
+1-8774252624
+1-8774252624
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
Try Akamai
Under Attack?
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources

What Is Penetration Testing?

What Is Penetration (Pen) Testing?

Pen testing, short for penetration testing, is a cybersecurity practice in which authorized individuals or companies simulate cyberattacks on computer systems, networks, and applications to identify vulnerabilities that malicious hackers could exploit. Pen testing aims to uncover weaknesses in the system’s security measures before real attackers can exploit them.

Penetration testing, also known as “pen testing” or “pentesting,” is an in-depth process intended to expose hidden weaknesses in a system’s security countermeasures and controls. Typically conducted by an authorized outsider, pen tests simulate different kinds of attacks on all elements of a system. The goal is to discover vulnerabilities that the system’s creators, as well as security teams, may have overlooked.

Who performs penetration tests?

Pen tests are almost always performed by people who did not have a role in creating the target system. Typically, the pen tester, or testers, often do not work for the entity that built the system at all. There are several reasons for this. For one thing, members of the development, QA/test, and security teams are too close to what they’ve built. They may have security gaps that can be uncovered by a person who comes to the system with fresh eyes and no preconceptions.

Additionally, pen testing is a distinct skill set that often requires purpose-built tools. It takes thinking like a hacker, and in fact, some pen testers are actually former “black hat” or criminal hackers who have decided to use their skills for legitimate purposes. As the old saying goes, it takes a thief to catch a thief. Pen testers may have special training and certifications as well. In most cases, employees of the organization that built the system lack these qualifications.

Pen testers are sometimes called “ethical hackers,” but the two roles differ. At a basic level, a pen tester is ethically hacking the target with a simulated attack. They have permission to “attack” and uncover security flaws that they have agreed not to exploit.

The difference is partly structural. Pen testing usually follows a preset series of processes with a disciplined approach to identifying and documenting security problems. Ethical hacking, in contrast, tends to be more open-ended. For instance, an ethical hacker might engage in a “bug bounty” program and be rewarded for discovering a previously unknown vulnerability. However, that is not the same as doing a thorough pen test and documenting what the process discovered.

Stages of pen testing

The methodology for a pen test typically follows five stages:

Diagram illustrating the stages of pen testing.
  1. Reconnaissance. This is an information-gathering step that occurs before the tester starts the penetration testing process. The tester learns the parameters of the target system and prepares a plan of attack.
  2. Scanning. The tester scans the target to determine how its information security systems will react to attempts to breach its controls and countermeasures. Almost always accomplished with the help of automated pen testing tools, the scans can find open ports, servers left with default admin accounts enabled, vulnerable misconfigurations, and other hidden ways into the target system.
  3. Access. It is time for the pen tester to get inside the target system, based on information discovered during the scanning stage. This may involve using techniques like SQL injection (SQLi) to retrieve administrative user credentials from a (theoretically secure) database. Once inside, the pen tester will map out how much damage an attacker could do with this level of access. For example, if a pen tester is able to move laterally from an initial target across the network infrastructure and gain access to a production application or sensitive data, he or she will report that an attacker could breach that system as well.
  4. Maintaining access. If the pen tester has done his or her job successfully, they will be able to maintain access to the target system. This mimics the all-too-common real-life situation in which malicious actors linger inside the victim’s network for months at a time. By maintaining access, the pen tester can also simulate advanced persistent threats (APTs).
  5. Analysis and cover-up. The pen tester concludes the test by making all traces of his or her presence disappear from the target system. Again, this is a simulation of a real cyberattack — with any executables or log events impossible to detect. This is followed by preparing a detailed report that documents the methods used, gaps discovered, and projection of the impact of a breach, among other important information for the security team.

Types of pen tests

Aligning the pen testing program with all relevant system types in an organization is a wise risk management practice. Since any connected device, application, or data source can be part of an attack surface, it makes sense to use pen testing to assess their vulnerabilities to breach. In general, it doesn’t make sense to do a penetration test on a web app but not a mobile app. Either one could be a cybersecurity attack path for a malicious actor from vectors ranging from phishing to social engineering.

Pen tests fall into six broad categories:

Applications. The pen tester uses automated tools and manual testing to look for vulnerabilities inside applications and connected databases. This might mean examining the application binaries themselves or authorization processes, encryption, the potential for SQLi, and comparable attack methods.

Networks. The network needs to be subjected to rigorous penetration testing as the organization’s security perimeter (at least in theory). The process usually involves a systematic look at administrative access controls, the secure socket layer (SSL), encrypted transport protocols, certificates, network segmentation, and more.

Cloud. With the cloud, the pen tester looks at system configurations, application programming interfaces (APIs), and storage. The tester will also probably look for cloud instances that were set up without the standard policies in place. This is more common than people realize. A well-meaning but misinformed developer may deploy an application and database to a cloud platform without applying security controls or even notifying anyone that the cloud instance exists.

Software development processes. The DevOps workflow and continuous integration/continuous deployment (CI/CD) pipeline are places where developers inadvertently embed bugs and coding errors into software that make the application vulnerable to breach. With automated pen testing of DevOps and the CI/CD pipeline, the tester may find hidden vulnerabilities that cannot be detected with static code scanning. The pen tester will also try to get into the developer workflow and see if he or she can insert malicious code into the codebase. They will take similar actions regarding containers, such as Docker.

Devices. Hardware can be vulnerable to a breach just as much as a network or an application. A pen tester will try to break into the device using vulnerabilities in its application binaries, firmware, and operating system software. It is common for pen testers to find weaknesses in devices that have not had security patches installed.

APIs. A pen tester will use a combination of manual and automated API testing processes to determine if an API has any of the Open Worldwide Application Security Project (OWASP) API Security Top 10 vulnerabilities such as Broken Object Level Authorization (BOLA), while analyzing whether an API has a lack of rate limiting or poses user authentication problems.

Benefits of pen testing

Pen testing offers a variety of benefits that are not available through other modes of security testing. This does not detract from the importance and necessity of performing unit testing, functional testing, and the like. However, pen testing makes it possible to find security flaws that other processes simply cannot uncover.

In addition, pen testing can show the entire attack chain — how the attacker discovered the vulnerability, exploited it, gained access, and maintained access. As a result, pen testing enables security teams to fix systemic problems that are otherwise invisible. An effective pen test will also show how strong a control or countermeasure really is. This is all the more significant when considered in light of compliance with regulations like PCI DSS and GDPR.

Approaches to pen testing

Pen tests differ in approach depending on the number and nature of exploitation targets, the level of information available to or gleaned by the tester, and the tools, skills, and resources the tester has at their disposal. Various penetration testing approaches include several different ways of box testing:

Black-box pen testing: When taking a black-box (aka closed-box or single-blind) approach to pen testing, the tester has no prior knowledge of the target system and tests it only from an external perspective to simulate a real-world attack. They make use of the most creative and unbiased tactics they can with no assumptions. 

White-box pen testing: In a white-box (aka open-box or clear-box approach), the pen tester gets preapproved access to the company’s security information. Therefore, they conduct the test from an informed position. This approach saves the tester time spent guessing, potentially allowing them to identify more risks. It also provides extensive information about the target system, including architecture diagrams, source code, and functionality. This allows for a thorough and detailed analysis, uncovering deeper vulnerabilities that might not be visible with limited information. 

Gray-box pen testing: In a gray-box approach, the hacking team is privy to partial information on the company’s system. As a result, they have a better chance of identifying high-risk vulnerabilities and prioritizing fixing them.

A covert or double-blind approach is when everyday users — including IT personnel — are unaware that the test is taking place. This tests the capability of IT to respond to breaches in real time. Such a test might involve informing law enforcement up front so as not to cause any false alarms.

Pen testing guarantees business continuity

Pen tests are an important vulnerability assessment to help maintain robust and effective network security in any organization. They help businesses:

  • Detect and close security issues before an external hacker exploits them
  • Identify high-risk areas in the IT infrastructure and allocate security budget wisely
  • Improve alertness levels and response times of in-house IT and security personnel
  • Close gaps in data privacy and security compliance
  • Mitigate the impact of real breaches when they occur

Thus, proper penetration testing is vital to securing IT workloads and customer data, and to keeping operations going smoothly.

Frequently Asked Questions

As an enterprise, it is imperative to familiarize yourself with different security testing tools, including vulnerability scanning and penetration testing.

Vulnerability scanning is the process of identifying potential vulnerabilities and susceptible areas of a network. This can include scoping out entire routers, system setups, servers, and any firewalls that may be in place. An attack vector is more common with vulnerability scanning, as it’s essentially a map of potential methods to breach an organization.

Penetration testing, on the other hand, is a bit more involved and proactive. With penetration testing, ethical hackers will conduct breaches to expose potential security violations and/or vulnerabilities. Penetration testers will determine which attack surface is best to target for an optimal outcome. Using penetration testing is ideal for those who want to learn more about the hackability and security of their own systems currently in place.

Penetration tests should be conducted at least one to two times each year to identify security vulnerabilities. In some cases, you may need to perform penetration tests even more frequently, depending on the size and reach of your organization. With the rise in cyberattacks and security breaches across all industries, it’s imperative to be proactive regarding digital vulnerabilities and conduct pen tests regularly.

Depending on your current setups, API security measures, and the scale of your operation, a penetration test will typically take between one and two weeks to complete. However, the time to complete a penetration test will vary based on your equipment, firewalls, and networks you intend to target.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere.

Related Blog Posts

The thought of being a victim of ransomware is scary. But it doesn’t have to keep you up at night.
The thought of being a victim of ransomware is scary. But it doesn’t have to keep you up at night.
Locked Out and Held for Ransom: A City's Battle Against Cybercrime
Read how having a plan and doing some preparation in advance can lessen the severity of a ransomware attack — or prevent one altogether.
Read more
Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.
Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.
Kubernetes IngressNightmare: Wake Up and Fight Back with Microsegmentation
Discover how to defend Kubernetes from Ingress vulnerabilities with microsegmentation and Zero Trust security from Akamai. Stay protected — inside and out.
Read more
Akamai Hunt operates as a seamless extension of your security team and alerts you about the events that matter most to your organization.
Introducing Akamai Hunt to Stop the Most Evasive Threats and Risks
Ravit Greitser is a Senior Product Marketing Professional at Akamai, with vast experience in product marketing and technical writing, specializing in cybersecurity.
Read more

Explore all Akamai Security Solutions

Start your free trial and see what a difference having the world’s largest and most trusted cloud delivery platform can make.

Take me there