Pentest - a definition
Wikipedia provides the following definition about "Penetration Testing" (an activity strictly related to the IT Security world also known with the shortest name of "PenTest")
"A penetration test, occasionally PenTest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of their impact, and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered."
PenTest are usually performed by very skilled professional in this fields who are hired by companies that need to ensure their systems are compliant to the best security practices.
PenTest are also very expensive services to buy and those very skilled professionals hired to perform these kind of activities are normally paid much more than other professional in the IT field (e.g. System Administrators, Web and Software Developer, DBA, etc.).
Why Another Web Site Talking About PenTest?
Despite the numerous documentation available on the internet regarding penetration testing methodologies we believe that what is really missing is a practical guide written by those very same professional that give some guidelines about how a penetration test should be performed.
Despite the richest amount of information contained in the various "free" manuals available on the web (e.g. the very famous OSSTMM ) what is really lacking today is an information source illustrating how the pen test is conducted in the real scenario.
One of the thing that is often overlooked by who is new in this market is that in a real scenario (e.g. a IT Security company selling a Pen Test to another organization) all the security activities need to be performed in a very limited time interval.
It is therefore necessary to follow a methodical approach in order to be sure to cover all the are of a penetration test assessment in the time scope assigned to the project, which often includes also writing a full report that represents the final deliverable of the activity.
The idea behind this website is then to provide our personal (and practical) approach to the PenTest activities focused on the following areas:
- External PenTest
- Internal PenTest
- Web Application PenTest
- WiFi Pentest
Our goal is to provide enough information for every of the above areas which could be useful to who is new in this market to start with the "right foot".
We are confident that providing a methodology which is written basing on a real experience is beneficial for the market as this could lead to a discussion to improve to methodology itself.
We are also confident enough that due to the high technical level required to be a successful PenTest engineer, revealing a methodology cannot harmful to the Security market as the PenTest professionals will be always limited in number in respect to the other professionals covering the other areas.
We will start soon illustrating our approach to an External PenTest, so stay tuned!
Post a Comment
EmoticonClick to see the code!
To insert emoticon you must added at least one space before the code.