Penetration Testing and Vulnerability Assessment
Penetration Testing or pentest is a process or method thatis followed in order to conduct a
strong security audit of an organization. It may be limited to a network security audit, or
internal websites security audit, Physical Security Audit, Social Engineering Audit or the whole
organization security audit. The pentest should always be carried out in a well-laid plan, and
proper methodology. It should be a combination of rules, procedures and skills during the
course of an information security audit.
It also may require implementation of the required security features, such as implementing a
Web Application Firewall, or an Intrusion Detection System (IDS) or whatever the case may be.
Penetration Testing could be classified into two types depending on the user’s knowledge:
Black Box Testing
Black Box Testing involves security checks against an Operating System or an environment,
with which the penetration tester is not familiar with, and doesn’t have much information
about it. In most of the cases of Black Box security audit, the attacker is at a remote location,
without having the full idea of the network internals. Once the test is complete, the
penetration tester should prepare a well detailed report of all the circumstances he faced, and
the ways through which he could get in, and what all security measures need to be taken, in
order to make the organization more secure.
White Box Testing
White Box testing is also generally referred to as Internal Testing, as in
most of the cases, the penetration tester has access to the internal networks and has all the
information related to the network. He also knows beforehand, about what all technologies
are being used in the organization, and he may then try looking for security issues in the
The combination of both types of testing is also known as Grey-Box Testing.
Penetration Testing Methodologies
Even though Penetration testing methodology may vary from person to person, there are
some standard set of methods defined, which could be used as a basis while conducting
Penetration tests on organisations.