Penetration testing, or the performance of simulated attacks on an organization's networks and applications, is typically carried out to verify the efficacy of network security tools and processes, evaluate new applications, fulfill compliance requirements, and illustrate to managers the necessity of addressing specific information security issues. By providing a detailed analysis of information system vulnerabilities as well as risk assessments and recommendations for improvement, penetration testing offers the enterprise an effective means of surveying and strengthening its security posture.
In order to assess the information security capabilities of an organization, penetration testing may be implemented at both network and application layers. Network penetration testing evaluates the susceptibility of networks and hosts to external attacks on Internet-facing servers or supporting infrastructure as well as attacks carried out internally. This type of penetration testing exposes system weaknesses such as open ports, insufficient patching, incorrect configurations, and poor password choices, and it exploits those vulnerabilities which leave enterprises susceptible to brute force attacks and other common attacks that target the network layer.
Application penetration testing, on the other hand, focuses on web-based applications accessible on premises and/or via the public Internet. Tests are carried out to detect and exploit standard application vulnerabilities, or well-known web application flaws manipulated by cyber attacks like a SQL injection attack or cross-site scripting.
Although penetration testing is a useful vulnerability management tool that can identify weaknesses commonly exploited by hackers, it has inherent limitations. The findings of penetration testing will be limited not only by the abilities of individual testers but also by the scope of and time allotted to each test—uncovering only that which testers seek and providing a snapshot of an enterprise's information security at a single point in time.
New vulnerabilities are discovered in applications, devices and servers every day. Meanwhile, cyber attacks are evolving in sophistication and scale. And as the enterprise's IT infrastructure increases in complexity, it is become extremely difficult to find and address all possible attack vectors through penetration testing. This is why more and more companies are choosing to incorporate flexible, on-demand cloud-based Cloud Security Solutions into their security ecosystems.
By leveraging Akamai's suite of Cloud Security Solutions, the enterprise gains a globally distributed, instantaneously scalable, always-on layer of defense in addition to access to centralized web security intelligence. Our Kona Site Defender provides powerful multi-layered DDoS mitigation capabilities and a Web Application Firewall, which detects potential web application attacks in HTTP and HTTPS like the BREACH attack—absorbing or deflecting both network- and application-layer attacks before they reach your data center.