What is penetration testing, anyway?

Infosec Institute - 

If you have a software system that protects valuable data or other assets, you probably want to have it tested for security vulnerabilities. That has probably led you to explore types of security assessments, and you’ve probably found that the most commonly referenced one is “penetration testing.”

What many companies don’t realize, however, is that “penetration testing” oftentimes isn’t really penetration testing at all. Worse yet, they don’t realize that they actually might need something else.

When it comes to testing applications for security vulnerabilities, terms are used incorrectly all the time. If you don’t realize it’s happening, it can have dire consequences.

Most people ask for penetration testing, but are sold vulnerability scanning instead. However, what most people actually need is something else entirely: vulnerability assessments.

Those are remarkably different things. Each requires a different investment of time, effort and money. Each has different goals. Each produces different outcomes.

Penetration testing

The most commonly referenced type of security testing is “penetration testing.” That has become a catchall term, and, unfortunately, it’s misleading. 

True penetration testing is a tactical service suitable for robust, hardened, thoroughly tested systems. It’s a time-constrained effort to measure a single outcome. For example, a

Read More: https://resources.infosecinstitute.com/topic/what-is-penetration-testing-anyway/