Pentest FAQ – #7 and #8 – What is a penetration test? And what is it not?

Sep 2, 2019

Pentest FAQ - #7 and #8 - What is a penetration test? And what is it not?

In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.

In focus today: 

Question #7: What is a penetration test?

n a penetration test, the tester assumes the role of the attacker. They use all means at his disposal to access the application from the outside – in contrast to analysis techniques that start “inside”, such as code analysis – in order to uncover vulnerabilities. They also use their extensive knowledge of vulnerabilities and all kinds of tricks to bypass security mechanisms. The result is a report that describes the vulnerabilities in a comprehensible way, assesses them with regard to their potential danger and shows countermeasures.

Because they act as a benign “hacker”, the pentester is also called a white-hat hacker (as opposed to a malicious black-hat hacker) or an ethical hacker.

Question #8: And what is an Application Security Penetration Test not?

A penetration test of a web or mobile application is not about simulating the attacker scenario as realistically as possible in order to conclude whether an attacker could penetrate the application or not. And as a result define it in the first case as insecure, in the second as secure. Rather, penetration testing is to be understood as a quality assurance measure. As far as possible, all anomalies affecting the security of an application must be identified, evaluated, also regarding the context, and, if they represent an actual risk, remedied. The tester can perform his role most effectively if he receives the best possible support – more on this in question 10.

The Application Security Penetration Test FAQ for Clients contains answers to 40 additional questions to consider when planning, commissioning and conducting penetration tests.

Recent posts

mgm sp @ Dresden

Our second office is located in Dresden, the capital of Saxony. Come have a look at our office there!

read more

mgm sp @ Heise DevSec

With the topic “How practical is DevSecOps really? – A field report” our colleague Maximiliane Zirm is present at this year’s Heise devSec. 

read more

Tool Tuesday – nmap

One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.

read more

mgm sp @ Munich

Our head office is located in the heart of Bavaria, since the time of SecureNet. Come have a look!

read more