WHAT IS PENTESTING (Ethical hacking)
Pentesting (penetration testing, ethical hacking) is a simulated cyber attack on a system or application.
The Purpose of Ethical Hacking
The purpose of pentesting is to uncover vulnerabilities and explore the effectiveness of defenses using both manual and automated methods. By locating and patching vulnerabilities through penetration testing on a regular basis, companies can reduce their risk of malicious hackers breaching their environment.
Types of Ethical Hacking
In the current age, a majority of modern techniques used by ethical hackers fall under three main types of testing: black box testing, gray box testing, and white box testing.
Black Box
In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.
Now, black box testing encompasses a whole lot of testing techniques and designs, with some of the most popular being:
Error Testing
Equivalence Partitioning
Boundary Value Testing
Black box testing proves to be very useful for identifying vague vulnerabilities in smaller systems and specific sections of a more complex system. Testers are easier to come by as their technical requirements are not as complex. However, the main downside that comes with black box testing is in its inefficiency in providing valuable tests for larger systems.
Gray Box
A step up from black-box testing is gray-box testing. If a black-box tester is examining a system from an outsider’s perspective, a gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. One way to think of gray box testing is a mix between black box and white box testing.
Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.
The most popular gray box testing techniques that are commonly used today are:
Matrix Testing
Pattern Testing
Orthogonal Array Testing
The appeals of gray box testing come with its non-intrusive and unbiased testing. Testers won’t necessarily need to look at source code or the intricacies of a system like that of a white box tester/ developer.
White Box
White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing.
In white box testing, ethical hackers are given full access to source code, architecture documentation and more. Testers are fully versed in the software that's being tested and are usually software developers who have a much stronger coding knowledge/skills than the previous types of testing. The testers will map out all of the code, using their expertise to match expected outcomes with those they found.
The most popular white box testing techniques that are commonly used today are:
The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing. However, because of this, it opens up the ability to optimize code and provide solutions as the developers have an in-depth understanding of the program’s source code.
Interested in seeing how a penetration test can help you understand your vulnerabilities and get them patched before exploited? Lets talk.