WHAT IS PENTESTING (Ethical hacking)

Pentesting (penetration testing, ethical hacking) is a simulated cyber attack on a system or application.

The purpose of pentesting is to uncover vulnerabilities and explore the effectiveness of defenses using both manual and automated methods. By locating and patching vulnerabilities through penetration testing on a regular basis, companies can reduce their risk of malicious hackers breaching their environment.

In the current age, a majority of modern techniques used by ethical hackers fall under three main types of testing: black box testing, gray box testing, and white box testing.

In a black-box testing assignment, the penetration tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable from outside the network.

Now, black box testing encompasses a whole lot of testing techniques and designs, with some of the most popular being:

Black box testing proves to be very useful for identifying vague vulnerabilities in smaller systems and specific sections of a more complex system. Testers are easier to come by as their technical requirements are not as complex. However, the main downside that comes with black box testing is in its inefficiency in providing valuable tests for larger systems.

A step up from black-box testing is gray-box testing. If a black-box tester is examining a system from an outsider’s perspective, a gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. One way to think of gray box testing is a mix between black box and white box testing.

Gray-box pentesters typically have some knowledge of a network’s internals, potentially including design and architecture documentation and an account internal to the network.

The most popular gray box testing techniques that are commonly used today are:

The appeals of gray box testing come with its non-intrusive and unbiased testing. Testers won’t necessarily need to look at source code or the intricacies of a system like that of a white box tester/ developer.

White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing.

In white box testing, ethical hackers are given full access to source code, architecture documentation and more. Testers are fully versed in the software that's being tested and are usually software developers who have a much stronger coding knowledge/skills than the previous types of testing. The testers will map out all of the code, using their expertise to match expected outcomes with those they found.

The most popular white box testing techniques that are commonly used today are:

The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of penetration testing. However, because of this, it opens up the ability to optimize code and provide solutions as the developers have an in-depth understanding of the program’s source code.

SecureState uses a combination of automated tools and manual testing to provide a hybrid approach that includes proactive and reactive security testing activities. Our team has decades of cybersecurity experience with some of the largest tech companies including AWS, VMware, Google and Nintendo.

Take the first step to security and schedule a call today!