The IT Law Wiki


Penetration testing is

[a] test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.[1]
[t]he portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.[2]
the practice of testing a computer system, network or Web application to identify vulnerabilities that an attacker could exploit.[3]
[t]esting that verifies the extent to which a system, device or process resists active attempts to compromise its security.[4]


"Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools, . . . penetration testing can be done "manually." For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Penetration testing is a very powerful technique; it should preferably be conducted with the knowledge and consent of system management."[5]

"Penetration tests are valuable for several reasons:

Penetration Tests can take different forms depending on a firm's specific objectives for the test. Each of these contributes in its own way to an overall defense-in-depth strategy."[6]


See also[]