Pentest FAQ – #7 and #8 – What is a penetration test? And what is it not?

In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.

In focus today: 

Question #7: What is a penetration test?

n a penetration test, the tester assumes the role of the attacker. They use all means at his disposal to access the application from the outside – in contrast to analysis techniques that start “inside”, such as code analysis – in order to uncover vulnerabilities. They also use their extensive knowledge of vulnerabilities and all kinds of tricks to bypass security mechanisms. The result is a report that describes the vulnerabilities in a comprehensible way, assesses them with regard to their potential danger and shows countermeasures.

Because they act as a benign “hacker”, the pentester is also called a white-hat hacker (as opposed to a malicious black-hat hacker) or an ethical hacker.

Question #8: And what is an Application Security Penetration Test not?

A penetration test of a web or mobile application is not about simulating the attacker scenario as realistically as possible in order to conclude whether an attacker could penetrate the application or not. And as a result define it in the first case as insecure, in the second as secure. Rather, penetration testing is to be understood as a quality assurance measure. As far as possible, all anomalies affecting the security of an application must be identified, evaluated, also regarding the context, and, if they represent an actual risk, remedied. The tester can perform his role most effectively if he receives the best possible support – more on this in question 10.

The Application Security Penetration Test FAQ for Clients contains answers to 40 additional questions to consider when planning, commissioning and conducting penetration tests.