Penetration testing refers to the security evaluation of a IT system by exploiting its vulnerabilities. It is important to understand the difference between vulnerability scanning and penetration testing. Unfortunately in the industry today these two terms are used interchangeably which has caused a fair bit of confusion. Vulnerability scanning goal is to identify and report on the known vulnerabilities that are found in the system. Penetration testing goes a step further and tries to exploit all known and unknown vulnerabilities that may exist in a system. It’s important to note that the penetration testing isn’t just limited to only the application. As part of the tests it also aims to identify vulnerabilities in operating system, the network and any controls or processes that are deployed with it.
Penetrating testing can be performed either with automated tools or manually. Both approaches are conducted with the same purpose i.e. to exploit vulnerabilities. The main difference between the two is how they’re performed. Automated tests as the name suggests are performed without any user intervention whereas manual tests are performed by users who are experts in the field.
Automated tools are used to improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone. Automated tools make use of two testing techniques known as static and dynamic scans. Static scans are focused primarily on binaries of the application which consists of the compiled code. The static scan determines all the available entry points and functions within each binary and executes automated tests to find vulnerabilities. Depending on the sophistication of the product used ,the static scan may also report absence of functionality that may lead to security breaches for example missing encryption or hard coded usernames/passwords in the source code. Dynamic scans are used to perform real time automated testing for web application such as web sites and web services. The main focus of dynamic scans is to focus on form input validation, cross site scripting, and security of the HTTP traffic between the source and destination.
Manual penetration testing is used on top of the automated tests. It overlays human expertise on top of testing performed by the automated tools. The main benefit of manual testing is that the security experts can look into the design, architecture and business rules of the application and identify security flaws.