The IT Law Wiki

Penetration testing

31,949pages on
this wiki

Definitions Edit

Penetration testing is

[a] test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.[1]
[t]he portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.[2]
the practice of testing a computer system, network or Web application to identify vulnerabilities that an attacker could exploit.[3]

Overview Edit

Penetration testing can use many methods to attempt a system break-in. In addition to using active automated tools, . . . penetration testing can be done "manually." For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target. Penetration testing is a very powerful technique; it should preferably be conducted with the knowledge and consent of system management.[4]

"Penetration tests are valuable for several reasons:

Penetration Tests can take different forms depending on a firm's specific objectives for the test. Each of these contributes in its own way to an overall defense-in-depth strategy."[5]

References Edit

  1. NIST Special Publication 800-53A.
  2. Department of Defense, National Computer Security Center, Glossary of Computer Security Terms (NCSC-TG-004, Ver. 1) (Oct. 21, 1988).
  3. Report on Cyber Security in the Banking Sector, at 5.
  4. NIST Special Publication 800-33, at 25.
  5. Report on Cybersecurity Practices, at 21.

See also Edit

Around Wikia's network

Random Wiki