What is a penetration test?
A software penetration test - or pen test - is a deliberate attempt to find vulnerabilities in software and systems using an authorised simulation of a cyber-attack. Penetration testing is performed by third-party organisations, end users of the software and sometimes internally by a software development team. The benefit of a third-party or end user performing the pen test is that they can be more unscrupulous in looking for vulnerabilities that can be exploited.
How does a pen test differ from vulnerability scanning?
As with vulnerability scanning, pen tests look for cyber vulnerabilities that could be exploited. Vulnerability scanning is typically a 'hands-off', ongoing process. It’s relatively easy to setup and automate regular vulnerability scans, making it a cost-effective measure for continuous monitoring. For example, Synectics perform daily third party vulnerability scans on Synergy.
For more info on software vulnerabilities check out this article: What is a software vulnerability and how are they managed?
Pen tests combine scanning for vulnerabilities with human-input and knowledge of how the vulnerabilities can be exploited. In the case of a 'white box' pen test this can include internal knowledge such as the code and logic of the software and systems. Stakeholders agree the scope of the pen test based on the level of analysis required and risk profile of the software system, providing flexibility, customisation and tailored reporting of any vulnerabilities found. As with vulnerability scanning, pen test reports categorise vulnerabilities using the Common Vulnerability Scoring System (CVSS) which considers risk based on the likelihood and impact of the vulnerability being exploited.
Pen tests evaluate the software system in a more holistic manner, unlike vulnerability scanning which may be limited to sub-set of software components. Pen tests are broader in coverage and provide a deeper analysis of vulnerabilities. They are more time-consuming and require human input and are therefore not carried out as frequently as vulnerability scans. Pen tests are usually undertaken on as-installed solutions which includes the infrastructure and access to those systems.
As an analogy for a pen test, imagine we were checking the security of your house rather than software. A vulnerability scan of your house can routinely check if your windows are open, whereas a pen test will also identify windows big enough to get a burglar through, look for ladders that make it easier for them and then see what chaos can be caused once they’ve broken into the house.
What pen tests do Synectics carry out?
Synectics work with certified third-party pen test organisations to assess our product portfolio including our Cloud solutions and our Synergy web and mobile applications. We also collaborate with key customers who arrange external pen tests on their Synergy system. The frequency of pen test depends on the software platform but is typically annually.