What is Pentesting? (and What to Look for When Choosing a Service Provider)

You’ve probably heard of the term pentesting and wondered what it means. You’ve probably even had a pentest done and was not quite sure what it was.

In this post, we’re going to tell you what pentesting means and what to look for when choosing a service provider.

How is Pentesting Different from Vulnerability Assessment?

Pentesting is not the same as a vulnerability Assessment and, unfortunately, oftentimes the two are confused.

Pentesting is known as ethical hacking, and is a process by which you try to penetrate a given system.

Vulnerability assessment is a process by which you systematically try to determine the weaknesses of a given system. This can can be done manually or using automated tools. The tools can often provide a false sense of security because they have a lot of false positives and don’t take into consideration the risk – which is a combination of the likelihood and impact to the business. This requires a person with knowledge of the business and security architecture to manually triage and remediate the issues. Whereas tools only know as much as the rules they have been provided.

Vulnerability assessment tools produce severity ratings that are generic and baseline industry information without taking into a context your assets and the business impact that could happen if those assets were on under attack.

Pentesting takes the result of that and tries to combine those vulnerabilities to see if there are opportunities to actually exploit the system.

The Three Types of Pentesting

There are 3 types of pentesting:

  • Black box
  • White box
  • Gray box

Black box is when the pentester has no knowledge of the information, essentially they are presented with a black box, and they are asked to identify the security problems, and to  try to exploit it.

White box is where the pentester is given all the knowledge about the system, including internal design and access so that they can fully understand the blueprint and really dig deep and identify all the security issues.

Gray box is somewhere in between. This is where the pentester is provided with some level of information and is expected to perform their pentesting activities.

How to Choose a Pentest Provider?

When choosing a pentesting provider, there are the two major considerations:

  • Does the provider follow standard practices such Open Web Application Security Project (OWASP) and Security Verification Standard (ASVS)?

  • Are the pentesters familiar with applications and software development? Often the pentesters might have a network background but does not understand anything about software, and you won’t get the best results from the pentest.

At Forward Security, we align our pentesting services with OWASP’s ASVS recommendations and they’re often part of our risk assessment services.