What is Pentesting? (and What to Look for When Choosing a Service Provider)

You’ve probably heard of the term pentesting and wondered what it means. You’ve probably even had a pentest done and was not quite sure what it was.

In this post, we’re going to tell you what pentesting means and what to look for when choosing a service provider.

How is Pentesting Different from Vulnerability Assessment?

Pentesting is also known as ethical hacking, and it’s a process by which you try to penetrate a given system. Voidability Assessment is not pentesting and, unfortunately, oftentimes the two are confused.

Vulnerability assessment is a process by which you systematically try to determine the weaknesses of a given system. Pentesting takes the result of that and tries to combine those volatilities to see if there are opportunities to actually exploit the system.

A vulnerability assessment can be done manually or using automated tools. When you’re using tools, the tools provide a false sense of security because they have a lot of false positives and the tools only know as much as the rules that they have been provided. They also don’t have any context about your business.

Furthermore, often times vulnerability assessment tools produce ratings called severity ratings that are generic and baseline industry information without taking into a context your assets and the business impact that could happen if those assets were on under attack

The Three Types of Pentesting

There are 3 types of pentesting:

  • Black box
  • White box
  • Gray box

You may ask, what is the difference between them?

Black box, just like it sounds, is when the pentester has no knowledge of the information, and they are just presented with a black box, and they are asked to identify the security problems with it, and try to exploit it.

White box on the opposite is where the pentester is given all of the knowledge about the system, including internal design and access so that they can fully understand the blueprint and really dig deep into it and identified all of the security issues

Gray box is somewhere in between where the pentester is provided with some level of information and expected to perform their pentesting activities.

How to Choose a Pentest Provider?

When choosing a pentesting provider, here are the two major considerations:

  • Does the provider follow standard practices, and are they following standards such Open Web Application Security Project (OWASP) and Security Verification Standard (ASVS)
  • Are the pentesters familiar with applications and software development? Often times the pentesters might have a network background and do not understand anything about software, and you won’t get the best results from the pentest.

At Forward Security, we align our pentesting services with OWASP’s ASVS recommendations and they’re often part of our risk assessment services.