Penetration testing is
|“||[a] test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.||”|
|“||[t]he portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.||”|
|“||the practice of testing a computer system, network or Web application to identify vulnerabilities that an attacker could exploit.||”|
|“||[t]esting that verifies the extent to which a system, device or process resists active attempts to compromise its security.||”|
"Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools, . . . penetration testing can be done "manually." For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Penetration testing is a very powerful technique; it should preferably be conducted with the knowledge and consent of system management."
"Penetration tests are valuable for several reasons:
- determining the feasibility of a particular set of attack vectors;
- identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence;
- identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software;
- assessing the magnitude of potential business and operational impacts of successful attacks;
- testing the ability of network defenders to successfully detect and respond to the attack; and
- providing evidence to support increased investments in security personnel and technology.
- NIST Special Publication 800-53A.
- Department of Defense, National Computer Security Center, Glossary of Computer Security Terms (NCSC-TG-004, Ver. 1) (Oct. 21, 1988).
- Report on Cyber Security in the Banking Sector, at 5.
- NIST Special Publication 800-152, at 134.
- NIST Special Publication 800-33, at 25.
- Report on Cybersecurity Practices, at 21.