The term pen testing a short for penetration testing is the act of testing an application for weakness, like security weakness and load tests but not only and the application can be software, web site, online service, games and more.
There are some testing types of penetration testing that someone can perform on his or her service, starting by using a using a steps by step automation test cases that the service supposed to accept with several bot users that copy the real user behavior till one or some of the known cases successfully penetrate the application and mark as a problem.
Another pen testing method is to use a pen testing tools and to perform a load testing on the service, this way you send a lot of users on the same time to check how many users the service is capable to hold in a small period of time.
And the last one that we will discuss about here is a security penetration test, this method also be used with a pen testing tools that will run against our service to check for problematic security issues, in a successful penetration the pen testing tools will output information about a security weakness that had been found, meaning that there is an open security hole on the service, what can make it vulnerable to hackers attacks.
After running a full cycle of pen testing, starting in the development environment that team will get back to fix the problems in the application code and will re-run a pen testing cycle to verify that the application is capable to handle the problems that were fix.
In big application, like distributed application it is very important to do the pen testing on all the component of the application, re: User Interface (UI), server, DB, multi users support and so on. You can think about pen testing as a security weakness QA tests.
In website penetration test you will check for locations that can get parameters from the user, like registration forms, search boxes etc, you will also need to check locations that have connection to databases to verify that your site is free from sql injections, and all the pages in the site to verify that cross site scripting is not possible.
A penetration testing methodology is a set or steps and/or rules that one can apply on the testing process, when using a penetration testing methodology it is more easy to understand where the critical and problematic point are and more easy to the developers to understand how to fix it, this can include systematic and precise penetration testing and also understanding and finding anything an attacker might obtain or already have in case of successful penetration.
Some known pen testing tools are:
- Kali Linux (BackTrack)
- ZED Attack Proxy (ZAP)
- BURP Suite
We had cover here in a nutshell some information about website penetration test and information about penetration testing methodology, I also give you a list of some known pen testing tools there are a lot more information, methods and step to do to become familiar with penetration testing, if this area in computer security is your favorite or if you want to learn more about penetration testing you can find great courses about it in some of the well-known collages.